WordPress
Monthly
Missing authorization controls in the merkulove Worker for Elementor WordPress plugin (versions through 1.0.10) allow unauthenticated or low-privileged users to exploit incorrectly configured access control mechanisms. The vulnerability stems from CWE-862 (Missing Authorization) and enables attackers to perform unauthorized actions without proper privilege verification, potentially affecting sites running vulnerable plugin versions.
Reflected Cross-site Scripting (XSS) in nebelhorn Blappsta Mobile App Plugin for WordPress affects versions through 0.8.8.8, allowing unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper input neutralization during page generation. With an EPSS score of 0.04% (14th percentile), exploitation likelihood is low, and no public exploit code or active exploitation has been identified at time of analysis.
Reflected cross-site scripting (XSS) in ZD Scribd iPaper WordPress plugin version 1.0 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation (CWE-79). With an EPSS score of 0.04% indicating low exploitation probability and no public proof-of-concept or active exploitation confirmed, this represents a lower-priority vulnerability despite the XSS classification, though it remains exploitable if a malicious link is crafted and social-engineered to victims.
Reflected cross-site scripting (XSS) in ZhinaTwitterWidget WordPress plugin version 1.0 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input sanitization during page generation, enabling attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers. No public exploit code or active exploitation has been identified at the time of analysis.
Reflected cross-site scripting (XSS) in En Masse WordPress plugin versions 1.0 and earlier allows unauthenticated remote attackers to inject arbitrary JavaScript into web pages viewed by other users. The vulnerability exists due to improper input neutralization during web page generation, enabling attackers to craft malicious URLs that execute scripts in the context of affected websites. No active exploitation has been confirmed, and real-world risk is low given the EPSS score of 0.04% (14th percentile), though the plugin's accessibility to any WordPress installation creates potential for attack.
Reflected Cross-Site Scripting (XSS) in Zielke Design Project Gallery WordPress plugin through version 2.5.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites through crafted URLs. No public exploit code or active exploitation has been confirmed at time of analysis, but the low EPSS score (0.04%, 14th percentile) suggests minimal real-world exploitation activity despite the vulnerability's presence in a widely-deployed WordPress plugin.
Reflected cross-site scripting (XSS) in the front-end-post-edit WordPress plugin through version 1.0.4 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites through crafted URLs. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the XSS vector being a common attack method.
Missing authorization controls in Headinger for Elementor plugin (versions up to 1.1.4) permit unauthenticated or insufficiently privileged attackers to bypass access control restrictions and perform unauthorized actions. The vulnerability stems from incorrectly configured security levels that fail to validate user permissions before granting access to sensitive functionality, enabling attackers to exploit the plugin's features beyond their intended authorization scope.
Criptopayer for Elementor WordPress plugin through version 1.0.1 contains a missing authorization vulnerability allowing unauthenticated attackers to exploit incorrectly configured access control security levels and bypass authentication mechanisms. The vulnerability stems from insufficient validation of user permissions, enabling unauthorized access to sensitive plugin functionality. With an EPSS score of 0.05% (17th percentile), real-world exploitation probability is currently low, and no active exploitation or public proof-of-concept code has been reported.
Missing authorization in merkulove Countdowner for Elementor plugin (versions up to 1.0.4) allows unauthenticated attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized access to plugin functionality. With an EPSS score of 0.05% (17th percentile), this vulnerability represents low real-world exploitation probability despite the authorization bypass classification.
Missing authorization in the merkulove Appender WordPress plugin versions through 1.1.1 allows authenticated attackers to bypass access control checks and exploit incorrectly configured security levels, potentially gaining unauthorized access to restricted functionality or data. EPSS probability is minimal at 0.05%, and no public exploit code or active exploitation has been reported.
Missing authorization in merkulove UnGrabber WordPress plugin version 3.1.3 and earlier allows unauthenticated attackers to exploit incorrectly configured access control to bypass security restrictions. The vulnerability stems from CWE-862 (Missing Authorization) and has been identified in the plugin's access control implementation, potentially enabling attackers to perform unauthorized actions without proper privilege verification.
Stored cross-site scripting (XSS) in Gora Tech Cooked WordPress plugin versions up to 1.11.3 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers. The vulnerability persists in the plugin's database and is triggered when affected content is viewed, enabling account compromise, session hijacking, or malware distribution to site visitors. This is a low-probability exploitation risk (EPSS 0.04%) but represents a meaningful concern for multi-user WordPress installations where contributor or editor-level accounts are delegated.
Stored cross-site scripting (XSS) in the eleopard Behance Portfolio Manager WordPress plugin versions 1.7.5 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other users visiting affected pages. The vulnerability stems from improper input sanitization during portfolio content generation, enabling attackers with contributor-level access or higher to compromise site visitors. No public exploit code or active exploitation has been reported, though the vulnerability carries a low EPSS score (0.04%, percentile 13%) suggesting limited real-world exploitation likelihood at time of analysis.
Stored XSS vulnerability in ikaes Accessibility Press plugin (ilogic-accessibility) versions through 1.0.2 allows authenticated attackers to inject arbitrary JavaScript that executes in the browsers of other site visitors, potentially compromising user sessions, stealing credentials, or defacing content. The vulnerability stems from improper input sanitization during web page generation and carries a low exploitation probability (EPSS 0.04th percentile) with no confirmed active exploitation.
Stored cross-site scripting (XSS) in Dashboard Beacon WordPress plugin versions up to 1.2.0 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users, including administrators. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage and execution across user sessions. No public exploit code or active exploitation has been confirmed.
Missing authorization in Select Graphist for Elementor WordPress plugin versions up to 1.2.10 allows unauthenticated attackers to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control mechanisms that fail to properly validate user permissions before granting access to sensitive functionality. With an EPSS score of 0.01% and no confirmed active exploitation, this represents a low-probability attack despite the authorization flaw.
Missing authorization in Walker for Elementor plugin (versions through 1.1.6) allows unauthenticated attackers to exploit improperly configured access controls to bypass intended security restrictions and access unauthorized functionality. The vulnerability stems from inadequate permission validation in the plugin's WordPress implementation, enabling attackers to interact with protected features without proper authentication or role-based authorization checks.
Gmaper for Elementor plugin versions up to 1.0.9 contains a missing authorization vulnerability (CWE-862) that allows attackers to exploit incorrectly configured access control security levels, potentially bypassing authentication mechanisms to access restricted functionality. The vulnerability carries a 0.02% EPSS score (percentile 4%), indicating minimal real-world exploitation risk at present, with no public exploit code or active exploitation currently identified.
Missing authorization in merkulove Sliper for Elementor plugin versions up to 1.0.10 allows attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from insufficient access control validation (CWE-862), enabling unauthenticated or low-privileged users to perform actions they should not be authorized to execute. With an EPSS score of 0.02% (4th percentile) indicating very low real-world exploitation likelihood, this issue represents a lower-priority authorization flaw compared to actively exploited vulnerabilities.
Missing authorization in merkulove Watcher for Elementor plugin (versions up to 1.0.9) allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially enabling unauthorized access to sensitive functionality or data. The vulnerability carries an EPSS score of 0.02% (percentile 4%), indicating very low observed exploitation probability, with no public exploit code or active exploitation confirmed at the time of analysis.
Missing authorization controls in merkulove Questionar for Elementor plugin versions up to 1.1.7 allow attackers to exploit improperly configured access control mechanisms, potentially enabling unauthorized access to questionnaire data or administrative functions. The vulnerability stems from inadequate privilege validation and affects all users of the vulnerable plugin versions. With an EPSS score of 0.02% and no CVSS severity assigned, real-world exploitation likelihood is currently minimal, though the authentication bypass nature of the flaw warrants patching.
Missing authorization in Merkulove Couponer for Elementor plugin versions up to 1.1.7 allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially gaining unauthorized access to sensitive coupon management functionality. The vulnerability carries low real-world exploitation probability (EPSS 0.02%) despite being classified as an authentication bypass, suggesting limited practical attack surface or requirement for specific configuration conditions.
Missing authorization in Northern Beaches Websites WP Custom Admin Interface plugin (versions up to 7.40) allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially gaining unauthorized administrative access or performing privileged actions without proper authentication. The vulnerability affects WordPress installations using this plugin and carries a very low EPSS score (0.01%, 2nd percentile) despite the authorization flaw, suggesting limited real-world exploitation likelihood in practice.
Missing authorization in the Alexander AnyComment WordPress plugin through version 0.3.6 allows unauthenticated attackers to exploit incorrectly configured access control security levels, resulting in unauthorized access to protected functionality. The vulnerability stems from broken access control mechanisms (CWE-862) rather than authentication bypass, meaning authenticated sessions may also be affected depending on their privilege level. With an EPSS score of 0.02% and no reported active exploitation, this represents a low-probability real-world risk despite the critical nature of access control flaws.
Cross-Site Request Forgery (CSRF) vulnerability in inkthemes WP Gmail SMTP plugin through version 1.0.7 allows attackers to perform unauthorized actions on behalf of authenticated administrators without their knowledge or consent. The vulnerability affects the WordPress plugin across all versions up to and including 1.0.7, enabling attackers to potentially modify email configuration settings or other administrative functions via crafted web requests. No public exploit code has been identified at the time of analysis, and the EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite the theoretical attack surface.
Hide Plugins WordPress plugin through version 1.0.4 fails to enforce proper authorization checks, allowing unauthenticated or low-privileged users to access plugin management functions intended for administrators. The missing access control (CWE-862) permits attackers to exploit incorrectly configured security levels, potentially enabling unauthorized plugin visibility or manipulation. While EPSS indicates low real-world exploitation probability (0.01%, 2nd percentile), the vulnerability represents a direct authorization bypass that could escalate privileges in certain WordPress configurations.
The Signature Add-On for Gravity Forms plugin (version 1.8.6 and earlier) contains a missing authorization vulnerability that allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability stems from improper implementation of authorization checks, enabling unauthorized users to access protected functionality or data that should be restricted based on user roles and permissions. This authentication bypass affects WordPress installations using the vulnerable plugin versions and is tracked as CWE-862 (Missing Authorization).
Server-Side Request Forgery (SSRF) in the WordPress & WooCommerce Scraper Plugin (wp_scraper) versions up to 1.0.7 allows unauthenticated attackers to make arbitrary HTTP requests from the affected WordPress server. The vulnerability exists in the plugin's core scraping functionality, which fails to properly validate or restrict the target URLs that can be requested. An attacker can exploit this to scan internal networks, access internal services, exfiltrate data from backend systems, or perform reconnaissance against the hosting infrastructure. No public exploit code has been identified at time of analysis, and EPSS risk is minimal at 0.01%, but the vulnerability affects all installations of the vulnerable plugin versions.
WP Messiah BoomDevs WordPress Coming Soon plugin through version 1.0.4 exposes sensitive system information to unauthorized access, allowing attackers to retrieve embedded sensitive data without authentication. The vulnerability stems from improper access controls on sensitive data endpoints, classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere). With an EPSS score of 0.01% (2nd percentile), exploitation likelihood is minimal despite the information disclosure nature of the defect.
Missing authorization in the Easy Upload Files During Checkout WordPress plugin through version 3.0.0 allows unauthenticated attackers to exploit incorrectly configured access controls to bypass security restrictions and upload files. The vulnerability, classified as a broken access control flaw (CWE-862), affects the plugin's core file upload functionality during checkout operations. While EPSS scoring indicates very low exploitation probability (0.01%, 2nd percentile), the absence of CVSS data and patch version information limits quantification of attack complexity and remediation specificity.
Authorization bypass in Order Cancellation & Returns for WooCommerce plugin (versions ≤1.1.11) allows unauthenticated or low-privileged users to access and manipulate order cancellation and return functionality through user-controlled parameters. The vulnerability stems from improper access control checks that fail to validate user permissions against the requested resource, enabling attackers to operate on orders belonging to other customers without proper authorization. EPSS score of 0.01% indicates low observed exploitation likelihood despite the straightforward attack vector.
Direct Payments WP WordPress plugin through version 1.3.2 exposes embedded sensitive system information to unauthorized parties via CWE-497 exposure mechanisms, allowing attackers to retrieve confidential data without requiring authentication. The vulnerability affects all versions up to and including 1.3.2, with an EPSS score of 0.01% indicating minimal observed exploitation probability despite the information disclosure nature of the flaw.
Missing authorization in the Direct Payments WP WordPress plugin version 1.3.2 and earlier allows attackers to bypass access control mechanisms and exploit incorrectly configured security levels, potentially gaining unauthorized access to payment functionality. This authentication bypass vulnerability affects all users of the plugin up to version 1.3.2, with an EPSS score of 0.01% indicating very low real-world exploitation probability despite the missing CVSS rating.
Cross-site request forgery (CSRF) in the Post Snippets WordPress plugin through version 4.0.11 allows unauthenticated attackers to perform unauthorized administrative actions on vulnerable sites by tricking authenticated administrators into visiting malicious web pages. The vulnerability affects all versions up to and including 4.0.11, though no CVSS vector or EPSS exploitation probability above baseline has been assigned, suggesting limited real-world exploit infrastructure exists at this time.
Cross-Site Request Forgery (CSRF) vulnerability in Gmedia Photo Gallery WordPress plugin through version 1.25.0 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. An unauthenticated remote attacker can craft malicious web pages or emails that, when visited by a logged-in admin or user, execute unwanted operations such as modifying gallery settings, uploading images, or changing plugin configuration. The vulnerability has an extremely low exploitation probability (EPSS 0.02%, 5th percentile) but represents a class of attacks that can bypass user intent entirely when user awareness is low.
Missing authorization controls in All in One Accessibility WordPress plugin versions 1.15 and earlier allow unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from CWE-862 (Missing Authorization) and enables attackers to access or modify functionality that should be restricted, though exploitation probability is low (EPSS 0.04%). No public exploit code or active exploitation has been identified at the time of analysis.
Missing authorization controls in GS Portfolio for Envato WordPress plugin versions up to 1.4.2 allow unauthenticated attackers to bypass access restrictions and exploit incorrectly configured security levels to access protected functionality or data. The vulnerability stems from inadequate access control validation, enabling attackers to manipulate requests to resources that should be restricted. No public exploit code has been identified, and the low EPSS score of 0.04% suggests limited real-world exploitation likelihood, though the missing CVSS vector prevents definitive severity assessment.
Missing authorization in the Vireo WordPress theme (versions up to 1.0.24) enables authenticated attackers with low privileges to bypass access controls and execute high-impact operations including data exfiltration, integrity compromise, and availability disruption. The vulnerability affects a specific WordPress theme product from extendthemes with CVSS 8.8 severity. While EPSS probability is low (0.04%, 13th percentile), the low attack complexity and network attack vector warrant attention for sites using this theme. No public exploit identified at time of analysis, and not listed in CISA KEV.
Missing authorization checks in Aum Watcharapon Featured Image Generator WordPress plugin versions up to 1.3.4 allow unauthenticated or low-privileged attackers to bypass access controls and exploit incorrectly configured security levels, potentially enabling unauthorized access to sensitive plugin functionality. The EPSS score of 0.04% indicates low exploitation probability in practice despite the authorization flaw.
Missing authorization in the AI Content Writing Assistant WordPress plugin (versions up to 1.1.7) allows unauthenticated or low-privileged users to access restricted functionality through incorrectly configured access controls. The vulnerability exploits broken access control logic (CWE-862) that fails to properly validate user permissions before granting access to sensitive operations. While EPSS scoring indicates low exploitation probability (0.04th percentile), the authentication bypass nature of the flaw creates a direct pathway for unauthorized feature access.
Missing authorization controls in themesawesome History Timeline WordPress plugin versions through 1.0.6 permit exploitation of incorrectly configured access control, allowing unauthenticated or low-privileged users to bypass security restrictions and access protected functionality. The vulnerability stems from improper enforcement of access control checks (CWE-862), classified as a broken access control flaw. No public exploit code or active exploitation has been confirmed, though the low EPSS score (0.04%) suggests limited practical exploitation likelihood in real-world deployments.
Cross-site request forgery (CSRF) in the Robots.txt Rewrite WordPress plugin (versions up to 1.6.1) allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting a malicious webpage. The vulnerability affects the plugin's administrative functions and carries a low exploitation probability (EPSS 0.02%), with no public exploit code or active exploitation reported at time of analysis.
Post Video Players WordPress plugin through version 1.163 exposes sensitive embedded data to unauthorized users via improper information disclosure mechanisms. The vulnerability allows attackers to retrieve sensitive system information that should be restricted from public access, affecting the plugin's core video playlist and gallery functionality. With an extremely low EPSS score of 0.04%, active exploitation appears minimal despite the information disclosure risk.
Missing authorization controls in Strategy11 Team Tasty Recipes Lite WordPress plugin through version 1.1.5 allow unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from insufficient validation of user permissions before executing sensitive operations, enabling unauthorized access to protected functionality. No public exploit code or active exploitation has been identified at the time of analysis.
Broken access control in Strategy11 Team Tasty Recipes Lite WordPress plugin through version 1.1.5 allows unauthenticated attackers to exploit incorrectly configured security levels to access or modify protected functionality. The vulnerability stems from missing authorization checks that fail to properly validate user permissions before exposing sensitive operations. EPSS exploitation probability is low at 0.04%, and no public exploit code or confirmed active exploitation has been identified.
Missing authorization controls in WordPress Accordion Slider Gallery plugin version 2.7 and earlier allow unauthenticated or low-privileged users to bypass access restrictions and exploit misconfigured security levels. The vulnerability stems from improper access control validation (CWE-862) that fails to enforce authentication checks on sensitive plugin functions, potentially enabling unauthorized users to access restricted functionality or administrative features.
Missing authorization controls in RestroPress WordPress plugin versions through 3.2.7 allow unauthenticated attackers to bypass access restrictions and access functionality intended to be restricted by security-configured access levels. The vulnerability stems from improper validation of user permissions, enabling attackers to exploit incorrectly configured access control mechanisms. No public exploit code or active exploitation has been confirmed, though the low EPSS score (0.04%) suggests minimal real-world exploitation likelihood despite the authorization bypass nature.
Missing authorization in the Trash Duplicate and 301 Redirect WordPress plugin through version 1.9.1 allows unauthenticated attackers to exploit incorrectly configured access control security levels, potentially bypassing authentication checks to access or modify restricted functionality. The vulnerability stems from improper enforcement of WordPress capability checks (CWE-862), and while no public exploit code has been identified, the low EPSS score (0.06%) suggests limited real-world exploitation likelihood despite the authorization flaw.
Download Media Library WordPress plugin through version 0.2.1 exposes sensitive system information to unauthorized users via embedded data retrieval. The vulnerability allows unauthenticated attackers to access restricted system details without proper access controls, though real-world exploitation probability remains low (EPSS 0.04%). No public exploit code or active exploitation has been confirmed.
Missing authorization controls in the Wiremo woo-reviews-by-wiremo WordPress plugin through version 1.4.99 allow attackers to bypass access restrictions and exploit incorrectly configured security levels, potentially enabling unauthorized data access or modification of review functionality. The vulnerability stems from broken access control (CWE-862) and carries an EPSS score of 0.04% (13th percentile), indicating low real-world exploitation probability despite the authentication bypass tag.
Cross-site request forgery (CSRF) in MERGADO Mergado Pack WordPress plugin through version 4.2.1 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators, such as modifying plugin settings or triggering unintended functionality, by tricking them into visiting a malicious webpage. No public exploit code or active exploitation has been reported; EPSS score of 0.02% reflects very low real-world exploitation likelihood.
Missing authorization in Sticky Notes for WP Dashboard plugin (versions up to 1.2.4) allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability stems from improper enforcement of authorization checks (CWE-862), potentially enabling unauthorized users to access or manipulate sticky notes functionality. With an EPSS score of 0.04% (11th percentile), this represents a low real-world exploitation probability despite the authorization flaw, suggesting either limited attack surface or constrained practical utility.
Cross-Site Request Forgery (CSRF) vulnerability in iNext Woo Pincode Checker WordPress plugin versions up to 2.3.1 allows unauthenticated attackers to perform unauthorized actions on behalf of site administrators or users. The plugin fails to implement proper nonce validation on sensitive operations, enabling an attacker to craft malicious web pages that, when visited by an authenticated user, execute unintended requests against the vulnerable plugin. This is a low-severity finding with an EPSS score of 0.02% (5th percentile), indicating minimal real-world exploitation probability despite the theoretical attack surface.
Cross-Site Request Forgery (CSRF) vulnerability in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin version 2.2.0 and earlier allows unauthenticated attackers to perform unwanted actions on behalf of authenticated users through forged requests. The vulnerability affects the WordPress plugin used to enable live shopping and shoppable video streams in WooCommerce stores. No public exploit code has been identified, and the EPSS score of 0.02% indicates low exploitation probability despite the CSRF attack vector.
WP Export Categories & Taxonomies WordPress plugin through version 1.0.3 fails to enforce authorization checks on sensitive functionality, allowing unauthenticated or low-privileged users to exploit misconfigured access controls. The vulnerability stems from improper implementation of WordPress capabilities checks, potentially enabling unauthorized users to export or manipulate site taxonomy data. No public exploit code or active exploitation has been confirmed at the time of analysis.
The Efí Bank Gerencianet Oficial WordPress plugin through version 3.1.3 exposes sensitive data by embedding it into sent HTTP requests or responses, allowing attackers to retrieve payment-related information without authentication. This information disclosure vulnerability (CWE-201) affects all installations of the affected plugin versions and is classified as low-risk based on EPSS score (0.04%, 12th percentile), with no public exploit code or active exploitation confirmed.
Orders Chat for WooCommerce plugin versions up to 1.2.0 fail to properly enforce access controls on chat functionality, allowing attackers to bypass authentication checks and access or manipulate order chat data through incorrectly configured security levels. This broken access control vulnerability (CWE-862) affects WordPress installations using the vulnerable plugin, with no public exploit code identified but confirmed exploitability of authorization bypass mechanics. EPSS probability is low at 0.04%, suggesting limited real-world exploitation likelihood despite the authorization flaw.
Authorization bypass in Master Addons for Elementor through version 2.0.9.9.4 allows attackers to exploit incorrectly configured access control via user-controlled keys, enabling unauthorized access to protected functionality without proper privilege validation. The vulnerability affects WordPress installations using the vulnerable plugin versions and carries low exploitation probability (EPSS 0.04%) with no confirmed active exploitation or public exploit code available.
Missing authorization controls in WP Grids EasyTest plugin versions up to 1.0.1 allow unauthenticated attackers to bypass access restrictions and perform unauthorized actions due to incorrectly configured access control security levels. The vulnerability enables exploitation of broken access control without authentication, though real-world exploitation probability remains low at 0.04% EPSS. No public exploit code or active exploitation has been identified.
Simple Like Page WordPress plugin versions 1.5.3 and earlier allows unauthenticated attackers to bypass access controls and perform unauthorized actions through incorrectly configured authentication checks, enabling exploitation of missing authorization enforcement in plugin functionality. The vulnerability affects the widely-deployed Simple Like Page plugin and has low estimated exploitation probability (EPSS 0.04%) but represents a classic access control weakness that could permit unauthorized modification of plugin data or settings.
Missing authorization in QuadLayers TikTok Feed WordPress plugin versions through 4.6.5 allows unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from improper validation of user permissions, enabling unauthorized access to protected functionality or data. While EPSS scoring indicates low exploitation probability (0.04th percentile), the authentication bypass classification suggests potential for privilege escalation or unauthorized administrative actions if discovered by an attacker.
Missing authorization controls in nicdark Hotel Booking WordPress plugin versions 3.8 and earlier allow unauthenticated attackers to bypass access restrictions through incorrectly configured security levels, potentially exposing sensitive booking and administrative functionality. The vulnerability has low exploitation probability (EPSS 0.04%) and no public exploit code has been identified, making it a lower-priority issue despite the high-impact CWE classification.
Missing authorization in Marco Milesi WP Attachments WordPress plugin through version 5.2 allows unauthenticated or low-privileged attackers to bypass access control restrictions and exploit incorrectly configured security levels to access protected attachments. The vulnerability stems from broken access control validation (CWE-862) and carries a low exploitation probability (EPSS 0.05%, 17th percentile), with no confirmed public exploit code or active exploitation documented at analysis time.
Missing authorization controls in nikmelnik Realbig media WordPress plugin versions up to 1.1.3 allow unauthenticated attackers to bypass access control restrictions and exploit misconfigured security levels, potentially exposing restricted content or functionality. The vulnerability is classified as a broken access control issue (CWE-862) with low exploitation probability (EPSS 0.04%) and no public exploit code identified at the time of analysis.
Missing authorization controls in NewClarity DMCA Protection Badge WordPress plugin versions up to 2.2.0 allow unauthenticated attackers to exploit incorrectly configured access control security levels, potentially exposing sensitive functionality or data protected by the badge mechanism. The vulnerability stems from insufficient permission validation (CWE-862) and presents an authentication bypass risk, though real-world exploitation likelihood is low based on EPSS scoring (0.04%, 13th percentile).
The Terms descriptions WordPress plugin versions 3.4.10 and earlier expose sensitive data through embedded information in sent data, allowing unauthenticated attackers to retrieve embedded sensitive information. This information disclosure vulnerability (CWE-201) affects all installations of the plugin up to version 3.4.10. No public exploit code has been identified, and the EPSS score of 0.04% indicates minimal real-world exploitation probability, though the vulnerability remains a concern for sites storing sensitive term metadata.
Missing authorization in SaifuMak Add Custom Codes WordPress plugin through version 4.80 allows unauthenticated or low-privileged attackers to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control mechanisms (CWE-862) that fail to properly validate user permissions before granting access to sensitive functionality. Despite a low EPSS score (0.05%, percentile 17%), the authentication bypass tag indicates potential for account takeover or privilege escalation.
Missing authorization controls in totalsoft Portfolio Gallery WordPress plugin versions through 1.4.8 allow unauthenticated attackers to exploit incorrectly configured access control security levels, potentially exposing sensitive gallery content and administrative functionality to unauthorized access. The vulnerability stems from broken access control mechanisms rather than authentication bypass, meaning authenticated users may also access resources beyond their privilege level. With an EPSS score of 0.05% (17th percentile) and no CVSS severity data, real-world exploitation appears limited despite the theoretical exposure.
Broken access control in Vollstart Serial Codes Generator and Validator with WooCommerce Support plugin through version 2.8.2 allows unauthenticated attackers to exploit misconfigured security levels and bypass authorization checks to access or manipulate serial code functionality. The vulnerability stems from missing authorization validation on security-sensitive operations, enabling attackers to perform actions without proper privilege verification. No public exploit code or active exploitation has been identified at time of analysis, though the low EPSS score (0.05%) suggests limited real-world exploitation probability despite the access control weakness.
Missing authorization in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin (versions up to 2.2.0) allows unauthenticated or low-privilege users to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control (CWE-862) where endpoint-level authorization checks are insufficient or absent, potentially allowing attackers to bypass intended security restrictions on sensitive functionality. No public exploit code or active exploitation has been confirmed; EPSS score of 0.04% indicates low real-world exploitation probability at time of analysis.
Stored cross-site scripting (XSS) vulnerability in Wayne Allen Postie WordPress plugin through version 1.9.73 allows authenticated attackers to inject malicious scripts into web pages that execute in the context of other users' browsers. The vulnerability stems from improper input neutralization during web page generation, enabling persistence of injected payloads in the application's data store. No public exploit code or active exploitation has been identified at time of analysis, though the low EPSS score (0.04th percentile) suggests limited real-world exploitation interest despite the vulnerability's presence in a plugin with unknown user base size.
DOM-based cross-site scripting (XSS) in WooCommerce Parcelas WordPress plugin versions up to 1.3.5 allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers without authentication. While EPSS scoring indicates low exploitation probability (0.01%), the DOM-based nature and lack of authentication barriers make this a persistent client-side threat in environments where the vulnerable plugin remains deployed.
Stored cross-site scripting (XSS) vulnerability in SaifuMak Add Custom Codes WordPress plugin versions 4.80 and earlier allows authenticated attackers to inject malicious JavaScript that persists in the database and executes in the browsers of site administrators and other users. The vulnerability stems from improper input sanitization when storing custom code, enabling attackers with plugin access to compromise site integrity and steal administrative credentials or sessions.
Missing authorization checks in Mohammed Kaludi Core Web Vitals & PageSpeed Booster WordPress plugin through version 1.0.28 allows unauthenticated attackers to exploit incorrectly configured access control to perform unauthorized actions. The vulnerability stems from broken access control (CWE-862), enabling attackers to bypass security restrictions and access sensitive functionality without proper authentication or privilege verification.
Stored cross-site scripting (XSS) in nicashmu Post Video Players WordPress plugin through version 1.163 allows authenticated attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability exists in the video-playlist-and-gallery-plugin and affects all versions up to and including 1.163; no public exploit code has been identified, but the low EPSS score (0.01%) suggests limited real-world exploitation likelihood despite the vulnerability's persistent nature.
Stored cross-site scripting (XSS) in plainware Locatoraid Store Locator WordPress plugin versions up to 3.9.68 allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the plugin's input handling during web page generation, enabling persistent XSS attacks. With an EPSS score of 0.01% and no active exploitation confirmed, this represents a low-probability but persistent risk requiring plugin updates.
Missing authorization controls in cedcommerce WP Advanced PDF plugin versions up to 1.1.7 allow attackers to bypass access restrictions and exploit incorrectly configured security levels. The vulnerability enables unauthenticated access to functionalities that should require proper authorization checks, potentially exposing sensitive PDF generation or management features to unauthorized users. No CVSS vector or active exploitation data is available, but the low EPSS score (0.04%) suggests minimal real-world attack activity.
Cross-Site Request Forgery vulnerability in A WP Life Contact Form Widget plugin version 1.5.1 and earlier allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability lacks a CVSS score and public exploit code, but is assigned low exploitation probability (EPSS 0.02%) and categorized under CWE-352 (CSRF). No active exploitation has been reported.
Stored cross-site scripting (XSS) in Soli WP Post Signature plugin through version 0.4.1 allows authenticated users to inject malicious scripts into post signatures, which execute in the browsers of administrators and other site visitors viewing affected posts. The vulnerability requires user interaction or administrative access to inject the payload but poses a risk to site integrity and user data. EPSS exploitation probability is minimal at 0.01%, suggesting low real-world attack likelihood despite the vulnerability class.
Stored cross-site scripting (XSS) in Imran Emu Logo Slider WordPress plugin versions 1.8.1 and earlier allows attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability affects the Logo Slider, Logo Carousel, Logo Showcase, and Client Logo plugin variants. An attacker with sufficient privileges to inject content (such as a contributor or compromised admin account) can embed arbitrary JavaScript to steal session tokens, deface pages, or redirect users to malicious sites. EPSS score of 0.01% indicates low exploitation probability in the wild, though the stored nature of the XSS elevates the persistence risk once injected.
DOM-based cross-site scripting in the ViitorCloud Technologies Add Featured Image Custom Link WordPress plugin (versions up to 2.0.0) allows unauthenticated attackers to inject arbitrary JavaScript into web pages through improper input sanitization. The vulnerability affects the custom URL handling mechanism for featured images, enabling malicious actors to steal session cookies, perform account takeover, or redirect users to phishing sites. EPSS score of 0.01% indicates minimal real-world exploitation probability despite the XSS classification.
DOM-based cross-site scripting (XSS) in SEO Slider WordPress plugin through version 1.1.1 allows authenticated or unauthenticated attackers to inject malicious scripts into the DOM, potentially enabling session hijacking, credential theft, or malware distribution. The vulnerability affects all versions up to and including 1.1.1 and has an EPSS score of 0.04% (14th percentile), indicating low real-world exploitation probability despite the XSS attack vector. No public exploit code or active exploitation has been confirmed.
Stored cross-site scripting (XSS) in WPFactory Maximum Products per User for WooCommerce plugin through version 4.4.3 allows authenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects WordPress installations using this WooCommerce extension, with an EPSS score of 0.04% indicating low real-world exploitation probability despite the XSS attack vector. No active exploitation has been confirmed.
Stored cross-site scripting (XSS) vulnerability in Bootstrap Modals WordPress plugin versions up to 1.3.2 allows authenticated attackers to inject and execute arbitrary JavaScript code that persists in the database and executes for all site visitors. The vulnerability stems from improper input neutralization during web page generation, enabling attackers with plugin-relevant permissions to compromise user sessions and steal sensitive data from administrators and site visitors.
ColorWay WordPress theme through version 4.2.3 embeds sensitive information in sent data, allowing unauthenticated attackers to retrieve embedded data without authentication. The vulnerability has an exceptionally low exploitation probability (EPSS 0.03%, 9th percentile) despite being information disclosure in nature, suggesting the sensitive data exposure requires specific conditions or limited practical impact. No active exploitation or public exploit code is documented at time of analysis.
Stored cross-site scripting (XSS) vulnerability in Livemesh Addons for Beaver Builder WordPress plugin versions 3.9.2 and earlier allows attackers to inject malicious scripts into web pages that execute in the browsers of site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling authenticated or privileged users to store malicious payloads that persist in the plugin's content. With an EPSS score of 0.04% (14th percentile), real-world exploitation likelihood is minimal, though the stored nature of the XSS means injected content could affect multiple end users if compromised.
Stored cross-site scripting (XSS) in Chris Steman Page Title Splitter WordPress plugin versions through 2.5.9 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators and visitors. The vulnerability exists in page generation functionality where user input is not properly sanitized before being rendered in web pages. EPSS score of 0.04% indicates low exploitation probability at present, with no confirmed active exploitation or public proof-of-concept identified.
Stored cross-site scripting (XSS) in MyBookTable Bookstore WordPress plugin version 3.6.0 and earlier allows authenticated or unauthenticated attackers to inject malicious scripts into web pages that execute in the context of other users' browsers. The vulnerability exists in the web page generation process where user input is not properly neutralized before being stored and rendered. No public exploit code has been identified, and the EPSS score of 0.04% suggests low real-world exploitation probability despite the XSS classification.
Stored cross-site scripting (XSS) in Custom Background Changer WordPress plugin through version 3.0 allows authenticated attackers to inject malicious JavaScript that persists in the database and executes for all users viewing affected pages. The vulnerability stems from improper input sanitization during web page generation, enabling attackers with plugin access to compromise user sessions and steal sensitive data. No public exploit code has been identified, and the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the vulnerability's technical severity.
Missing authorization controls in the merkulove Worker for Elementor WordPress plugin (versions through 1.0.10) allow unauthenticated or low-privileged users to exploit incorrectly configured access control mechanisms. The vulnerability stems from CWE-862 (Missing Authorization) and enables attackers to perform unauthorized actions without proper privilege verification, potentially affecting sites running vulnerable plugin versions.
Reflected Cross-site Scripting (XSS) in nebelhorn Blappsta Mobile App Plugin for WordPress affects versions through 0.8.8.8, allowing unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper input neutralization during page generation. With an EPSS score of 0.04% (14th percentile), exploitation likelihood is low, and no public exploit code or active exploitation has been identified at time of analysis.
Reflected cross-site scripting (XSS) in ZD Scribd iPaper WordPress plugin version 1.0 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation (CWE-79). With an EPSS score of 0.04% indicating low exploitation probability and no public proof-of-concept or active exploitation confirmed, this represents a lower-priority vulnerability despite the XSS classification, though it remains exploitable if a malicious link is crafted and social-engineered to victims.
Reflected cross-site scripting (XSS) in ZhinaTwitterWidget WordPress plugin version 1.0 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input sanitization during page generation, enabling attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers. No public exploit code or active exploitation has been identified at the time of analysis.
Reflected cross-site scripting (XSS) in En Masse WordPress plugin versions 1.0 and earlier allows unauthenticated remote attackers to inject arbitrary JavaScript into web pages viewed by other users. The vulnerability exists due to improper input neutralization during web page generation, enabling attackers to craft malicious URLs that execute scripts in the context of affected websites. No active exploitation has been confirmed, and real-world risk is low given the EPSS score of 0.04% (14th percentile), though the plugin's accessibility to any WordPress installation creates potential for attack.
Reflected Cross-Site Scripting (XSS) in Zielke Design Project Gallery WordPress plugin through version 2.5.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites through crafted URLs. No public exploit code or active exploitation has been confirmed at time of analysis, but the low EPSS score (0.04%, 14th percentile) suggests minimal real-world exploitation activity despite the vulnerability's presence in a widely-deployed WordPress plugin.
Reflected cross-site scripting (XSS) in the front-end-post-edit WordPress plugin through version 1.0.4 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites through crafted URLs. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the XSS vector being a common attack method.
Missing authorization controls in Headinger for Elementor plugin (versions up to 1.1.4) permit unauthenticated or insufficiently privileged attackers to bypass access control restrictions and perform unauthorized actions. The vulnerability stems from incorrectly configured security levels that fail to validate user permissions before granting access to sensitive functionality, enabling attackers to exploit the plugin's features beyond their intended authorization scope.
Criptopayer for Elementor WordPress plugin through version 1.0.1 contains a missing authorization vulnerability allowing unauthenticated attackers to exploit incorrectly configured access control security levels and bypass authentication mechanisms. The vulnerability stems from insufficient validation of user permissions, enabling unauthorized access to sensitive plugin functionality. With an EPSS score of 0.05% (17th percentile), real-world exploitation probability is currently low, and no active exploitation or public proof-of-concept code has been reported.
Missing authorization in merkulove Countdowner for Elementor plugin (versions up to 1.0.4) allows unauthenticated attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized access to plugin functionality. With an EPSS score of 0.05% (17th percentile), this vulnerability represents low real-world exploitation probability despite the authorization bypass classification.
Missing authorization in the merkulove Appender WordPress plugin versions through 1.1.1 allows authenticated attackers to bypass access control checks and exploit incorrectly configured security levels, potentially gaining unauthorized access to restricted functionality or data. EPSS probability is minimal at 0.05%, and no public exploit code or active exploitation has been reported.
Missing authorization in merkulove UnGrabber WordPress plugin version 3.1.3 and earlier allows unauthenticated attackers to exploit incorrectly configured access control to bypass security restrictions. The vulnerability stems from CWE-862 (Missing Authorization) and has been identified in the plugin's access control implementation, potentially enabling attackers to perform unauthorized actions without proper privilege verification.
Stored cross-site scripting (XSS) in Gora Tech Cooked WordPress plugin versions up to 1.11.3 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers. The vulnerability persists in the plugin's database and is triggered when affected content is viewed, enabling account compromise, session hijacking, or malware distribution to site visitors. This is a low-probability exploitation risk (EPSS 0.04%) but represents a meaningful concern for multi-user WordPress installations where contributor or editor-level accounts are delegated.
Stored cross-site scripting (XSS) in the eleopard Behance Portfolio Manager WordPress plugin versions 1.7.5 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other users visiting affected pages. The vulnerability stems from improper input sanitization during portfolio content generation, enabling attackers with contributor-level access or higher to compromise site visitors. No public exploit code or active exploitation has been reported, though the vulnerability carries a low EPSS score (0.04%, percentile 13%) suggesting limited real-world exploitation likelihood at time of analysis.
Stored XSS vulnerability in ikaes Accessibility Press plugin (ilogic-accessibility) versions through 1.0.2 allows authenticated attackers to inject arbitrary JavaScript that executes in the browsers of other site visitors, potentially compromising user sessions, stealing credentials, or defacing content. The vulnerability stems from improper input sanitization during web page generation and carries a low exploitation probability (EPSS 0.04th percentile) with no confirmed active exploitation.
Stored cross-site scripting (XSS) in Dashboard Beacon WordPress plugin versions up to 1.2.0 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users, including administrators. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage and execution across user sessions. No public exploit code or active exploitation has been confirmed.
Missing authorization in Select Graphist for Elementor WordPress plugin versions up to 1.2.10 allows unauthenticated attackers to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control mechanisms that fail to properly validate user permissions before granting access to sensitive functionality. With an EPSS score of 0.01% and no confirmed active exploitation, this represents a low-probability attack despite the authorization flaw.
Missing authorization in Walker for Elementor plugin (versions through 1.1.6) allows unauthenticated attackers to exploit improperly configured access controls to bypass intended security restrictions and access unauthorized functionality. The vulnerability stems from inadequate permission validation in the plugin's WordPress implementation, enabling attackers to interact with protected features without proper authentication or role-based authorization checks.
Gmaper for Elementor plugin versions up to 1.0.9 contains a missing authorization vulnerability (CWE-862) that allows attackers to exploit incorrectly configured access control security levels, potentially bypassing authentication mechanisms to access restricted functionality. The vulnerability carries a 0.02% EPSS score (percentile 4%), indicating minimal real-world exploitation risk at present, with no public exploit code or active exploitation currently identified.
Missing authorization in merkulove Sliper for Elementor plugin versions up to 1.0.10 allows attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from insufficient access control validation (CWE-862), enabling unauthenticated or low-privileged users to perform actions they should not be authorized to execute. With an EPSS score of 0.02% (4th percentile) indicating very low real-world exploitation likelihood, this issue represents a lower-priority authorization flaw compared to actively exploited vulnerabilities.
Missing authorization in merkulove Watcher for Elementor plugin (versions up to 1.0.9) allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially enabling unauthorized access to sensitive functionality or data. The vulnerability carries an EPSS score of 0.02% (percentile 4%), indicating very low observed exploitation probability, with no public exploit code or active exploitation confirmed at the time of analysis.
Missing authorization controls in merkulove Questionar for Elementor plugin versions up to 1.1.7 allow attackers to exploit improperly configured access control mechanisms, potentially enabling unauthorized access to questionnaire data or administrative functions. The vulnerability stems from inadequate privilege validation and affects all users of the vulnerable plugin versions. With an EPSS score of 0.02% and no CVSS severity assigned, real-world exploitation likelihood is currently minimal, though the authentication bypass nature of the flaw warrants patching.
Missing authorization in Merkulove Couponer for Elementor plugin versions up to 1.1.7 allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially gaining unauthorized access to sensitive coupon management functionality. The vulnerability carries low real-world exploitation probability (EPSS 0.02%) despite being classified as an authentication bypass, suggesting limited practical attack surface or requirement for specific configuration conditions.
Missing authorization in Northern Beaches Websites WP Custom Admin Interface plugin (versions up to 7.40) allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially gaining unauthorized administrative access or performing privileged actions without proper authentication. The vulnerability affects WordPress installations using this plugin and carries a very low EPSS score (0.01%, 2nd percentile) despite the authorization flaw, suggesting limited real-world exploitation likelihood in practice.
Missing authorization in the Alexander AnyComment WordPress plugin through version 0.3.6 allows unauthenticated attackers to exploit incorrectly configured access control security levels, resulting in unauthorized access to protected functionality. The vulnerability stems from broken access control mechanisms (CWE-862) rather than authentication bypass, meaning authenticated sessions may also be affected depending on their privilege level. With an EPSS score of 0.02% and no reported active exploitation, this represents a low-probability real-world risk despite the critical nature of access control flaws.
Cross-Site Request Forgery (CSRF) vulnerability in inkthemes WP Gmail SMTP plugin through version 1.0.7 allows attackers to perform unauthorized actions on behalf of authenticated administrators without their knowledge or consent. The vulnerability affects the WordPress plugin across all versions up to and including 1.0.7, enabling attackers to potentially modify email configuration settings or other administrative functions via crafted web requests. No public exploit code has been identified at the time of analysis, and the EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite the theoretical attack surface.
Hide Plugins WordPress plugin through version 1.0.4 fails to enforce proper authorization checks, allowing unauthenticated or low-privileged users to access plugin management functions intended for administrators. The missing access control (CWE-862) permits attackers to exploit incorrectly configured security levels, potentially enabling unauthorized plugin visibility or manipulation. While EPSS indicates low real-world exploitation probability (0.01%, 2nd percentile), the vulnerability represents a direct authorization bypass that could escalate privileges in certain WordPress configurations.
The Signature Add-On for Gravity Forms plugin (version 1.8.6 and earlier) contains a missing authorization vulnerability that allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability stems from improper implementation of authorization checks, enabling unauthorized users to access protected functionality or data that should be restricted based on user roles and permissions. This authentication bypass affects WordPress installations using the vulnerable plugin versions and is tracked as CWE-862 (Missing Authorization).
Server-Side Request Forgery (SSRF) in the WordPress & WooCommerce Scraper Plugin (wp_scraper) versions up to 1.0.7 allows unauthenticated attackers to make arbitrary HTTP requests from the affected WordPress server. The vulnerability exists in the plugin's core scraping functionality, which fails to properly validate or restrict the target URLs that can be requested. An attacker can exploit this to scan internal networks, access internal services, exfiltrate data from backend systems, or perform reconnaissance against the hosting infrastructure. No public exploit code has been identified at time of analysis, and EPSS risk is minimal at 0.01%, but the vulnerability affects all installations of the vulnerable plugin versions.
WP Messiah BoomDevs WordPress Coming Soon plugin through version 1.0.4 exposes sensitive system information to unauthorized access, allowing attackers to retrieve embedded sensitive data without authentication. The vulnerability stems from improper access controls on sensitive data endpoints, classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere). With an EPSS score of 0.01% (2nd percentile), exploitation likelihood is minimal despite the information disclosure nature of the defect.
Missing authorization in the Easy Upload Files During Checkout WordPress plugin through version 3.0.0 allows unauthenticated attackers to exploit incorrectly configured access controls to bypass security restrictions and upload files. The vulnerability, classified as a broken access control flaw (CWE-862), affects the plugin's core file upload functionality during checkout operations. While EPSS scoring indicates very low exploitation probability (0.01%, 2nd percentile), the absence of CVSS data and patch version information limits quantification of attack complexity and remediation specificity.
Authorization bypass in Order Cancellation & Returns for WooCommerce plugin (versions ≤1.1.11) allows unauthenticated or low-privileged users to access and manipulate order cancellation and return functionality through user-controlled parameters. The vulnerability stems from improper access control checks that fail to validate user permissions against the requested resource, enabling attackers to operate on orders belonging to other customers without proper authorization. EPSS score of 0.01% indicates low observed exploitation likelihood despite the straightforward attack vector.
Direct Payments WP WordPress plugin through version 1.3.2 exposes embedded sensitive system information to unauthorized parties via CWE-497 exposure mechanisms, allowing attackers to retrieve confidential data without requiring authentication. The vulnerability affects all versions up to and including 1.3.2, with an EPSS score of 0.01% indicating minimal observed exploitation probability despite the information disclosure nature of the flaw.
Missing authorization in the Direct Payments WP WordPress plugin version 1.3.2 and earlier allows attackers to bypass access control mechanisms and exploit incorrectly configured security levels, potentially gaining unauthorized access to payment functionality. This authentication bypass vulnerability affects all users of the plugin up to version 1.3.2, with an EPSS score of 0.01% indicating very low real-world exploitation probability despite the missing CVSS rating.
Cross-site request forgery (CSRF) in the Post Snippets WordPress plugin through version 4.0.11 allows unauthenticated attackers to perform unauthorized administrative actions on vulnerable sites by tricking authenticated administrators into visiting malicious web pages. The vulnerability affects all versions up to and including 4.0.11, though no CVSS vector or EPSS exploitation probability above baseline has been assigned, suggesting limited real-world exploit infrastructure exists at this time.
Cross-Site Request Forgery (CSRF) vulnerability in Gmedia Photo Gallery WordPress plugin through version 1.25.0 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. An unauthenticated remote attacker can craft malicious web pages or emails that, when visited by a logged-in admin or user, execute unwanted operations such as modifying gallery settings, uploading images, or changing plugin configuration. The vulnerability has an extremely low exploitation probability (EPSS 0.02%, 5th percentile) but represents a class of attacks that can bypass user intent entirely when user awareness is low.
Missing authorization controls in All in One Accessibility WordPress plugin versions 1.15 and earlier allow unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from CWE-862 (Missing Authorization) and enables attackers to access or modify functionality that should be restricted, though exploitation probability is low (EPSS 0.04%). No public exploit code or active exploitation has been identified at the time of analysis.
Missing authorization controls in GS Portfolio for Envato WordPress plugin versions up to 1.4.2 allow unauthenticated attackers to bypass access restrictions and exploit incorrectly configured security levels to access protected functionality or data. The vulnerability stems from inadequate access control validation, enabling attackers to manipulate requests to resources that should be restricted. No public exploit code has been identified, and the low EPSS score of 0.04% suggests limited real-world exploitation likelihood, though the missing CVSS vector prevents definitive severity assessment.
Missing authorization in the Vireo WordPress theme (versions up to 1.0.24) enables authenticated attackers with low privileges to bypass access controls and execute high-impact operations including data exfiltration, integrity compromise, and availability disruption. The vulnerability affects a specific WordPress theme product from extendthemes with CVSS 8.8 severity. While EPSS probability is low (0.04%, 13th percentile), the low attack complexity and network attack vector warrant attention for sites using this theme. No public exploit identified at time of analysis, and not listed in CISA KEV.
Missing authorization checks in Aum Watcharapon Featured Image Generator WordPress plugin versions up to 1.3.4 allow unauthenticated or low-privileged attackers to bypass access controls and exploit incorrectly configured security levels, potentially enabling unauthorized access to sensitive plugin functionality. The EPSS score of 0.04% indicates low exploitation probability in practice despite the authorization flaw.
Missing authorization in the AI Content Writing Assistant WordPress plugin (versions up to 1.1.7) allows unauthenticated or low-privileged users to access restricted functionality through incorrectly configured access controls. The vulnerability exploits broken access control logic (CWE-862) that fails to properly validate user permissions before granting access to sensitive operations. While EPSS scoring indicates low exploitation probability (0.04th percentile), the authentication bypass nature of the flaw creates a direct pathway for unauthorized feature access.
Missing authorization controls in themesawesome History Timeline WordPress plugin versions through 1.0.6 permit exploitation of incorrectly configured access control, allowing unauthenticated or low-privileged users to bypass security restrictions and access protected functionality. The vulnerability stems from improper enforcement of access control checks (CWE-862), classified as a broken access control flaw. No public exploit code or active exploitation has been confirmed, though the low EPSS score (0.04%) suggests limited practical exploitation likelihood in real-world deployments.
Cross-site request forgery (CSRF) in the Robots.txt Rewrite WordPress plugin (versions up to 1.6.1) allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting a malicious webpage. The vulnerability affects the plugin's administrative functions and carries a low exploitation probability (EPSS 0.02%), with no public exploit code or active exploitation reported at time of analysis.
Post Video Players WordPress plugin through version 1.163 exposes sensitive embedded data to unauthorized users via improper information disclosure mechanisms. The vulnerability allows attackers to retrieve sensitive system information that should be restricted from public access, affecting the plugin's core video playlist and gallery functionality. With an extremely low EPSS score of 0.04%, active exploitation appears minimal despite the information disclosure risk.
Missing authorization controls in Strategy11 Team Tasty Recipes Lite WordPress plugin through version 1.1.5 allow unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from insufficient validation of user permissions before executing sensitive operations, enabling unauthorized access to protected functionality. No public exploit code or active exploitation has been identified at the time of analysis.
Broken access control in Strategy11 Team Tasty Recipes Lite WordPress plugin through version 1.1.5 allows unauthenticated attackers to exploit incorrectly configured security levels to access or modify protected functionality. The vulnerability stems from missing authorization checks that fail to properly validate user permissions before exposing sensitive operations. EPSS exploitation probability is low at 0.04%, and no public exploit code or confirmed active exploitation has been identified.
Missing authorization controls in WordPress Accordion Slider Gallery plugin version 2.7 and earlier allow unauthenticated or low-privileged users to bypass access restrictions and exploit misconfigured security levels. The vulnerability stems from improper access control validation (CWE-862) that fails to enforce authentication checks on sensitive plugin functions, potentially enabling unauthorized users to access restricted functionality or administrative features.
Missing authorization controls in RestroPress WordPress plugin versions through 3.2.7 allow unauthenticated attackers to bypass access restrictions and access functionality intended to be restricted by security-configured access levels. The vulnerability stems from improper validation of user permissions, enabling attackers to exploit incorrectly configured access control mechanisms. No public exploit code or active exploitation has been confirmed, though the low EPSS score (0.04%) suggests minimal real-world exploitation likelihood despite the authorization bypass nature.
Missing authorization in the Trash Duplicate and 301 Redirect WordPress plugin through version 1.9.1 allows unauthenticated attackers to exploit incorrectly configured access control security levels, potentially bypassing authentication checks to access or modify restricted functionality. The vulnerability stems from improper enforcement of WordPress capability checks (CWE-862), and while no public exploit code has been identified, the low EPSS score (0.06%) suggests limited real-world exploitation likelihood despite the authorization flaw.
Download Media Library WordPress plugin through version 0.2.1 exposes sensitive system information to unauthorized users via embedded data retrieval. The vulnerability allows unauthenticated attackers to access restricted system details without proper access controls, though real-world exploitation probability remains low (EPSS 0.04%). No public exploit code or active exploitation has been confirmed.
Missing authorization controls in the Wiremo woo-reviews-by-wiremo WordPress plugin through version 1.4.99 allow attackers to bypass access restrictions and exploit incorrectly configured security levels, potentially enabling unauthorized data access or modification of review functionality. The vulnerability stems from broken access control (CWE-862) and carries an EPSS score of 0.04% (13th percentile), indicating low real-world exploitation probability despite the authentication bypass tag.
Cross-site request forgery (CSRF) in MERGADO Mergado Pack WordPress plugin through version 4.2.1 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators, such as modifying plugin settings or triggering unintended functionality, by tricking them into visiting a malicious webpage. No public exploit code or active exploitation has been reported; EPSS score of 0.02% reflects very low real-world exploitation likelihood.
Missing authorization in Sticky Notes for WP Dashboard plugin (versions up to 1.2.4) allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability stems from improper enforcement of authorization checks (CWE-862), potentially enabling unauthorized users to access or manipulate sticky notes functionality. With an EPSS score of 0.04% (11th percentile), this represents a low real-world exploitation probability despite the authorization flaw, suggesting either limited attack surface or constrained practical utility.
Cross-Site Request Forgery (CSRF) vulnerability in iNext Woo Pincode Checker WordPress plugin versions up to 2.3.1 allows unauthenticated attackers to perform unauthorized actions on behalf of site administrators or users. The plugin fails to implement proper nonce validation on sensitive operations, enabling an attacker to craft malicious web pages that, when visited by an authenticated user, execute unintended requests against the vulnerable plugin. This is a low-severity finding with an EPSS score of 0.02% (5th percentile), indicating minimal real-world exploitation probability despite the theoretical attack surface.
Cross-Site Request Forgery (CSRF) vulnerability in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin version 2.2.0 and earlier allows unauthenticated attackers to perform unwanted actions on behalf of authenticated users through forged requests. The vulnerability affects the WordPress plugin used to enable live shopping and shoppable video streams in WooCommerce stores. No public exploit code has been identified, and the EPSS score of 0.02% indicates low exploitation probability despite the CSRF attack vector.
WP Export Categories & Taxonomies WordPress plugin through version 1.0.3 fails to enforce authorization checks on sensitive functionality, allowing unauthenticated or low-privileged users to exploit misconfigured access controls. The vulnerability stems from improper implementation of WordPress capabilities checks, potentially enabling unauthorized users to export or manipulate site taxonomy data. No public exploit code or active exploitation has been confirmed at the time of analysis.
The Efí Bank Gerencianet Oficial WordPress plugin through version 3.1.3 exposes sensitive data by embedding it into sent HTTP requests or responses, allowing attackers to retrieve payment-related information without authentication. This information disclosure vulnerability (CWE-201) affects all installations of the affected plugin versions and is classified as low-risk based on EPSS score (0.04%, 12th percentile), with no public exploit code or active exploitation confirmed.
Orders Chat for WooCommerce plugin versions up to 1.2.0 fail to properly enforce access controls on chat functionality, allowing attackers to bypass authentication checks and access or manipulate order chat data through incorrectly configured security levels. This broken access control vulnerability (CWE-862) affects WordPress installations using the vulnerable plugin, with no public exploit code identified but confirmed exploitability of authorization bypass mechanics. EPSS probability is low at 0.04%, suggesting limited real-world exploitation likelihood despite the authorization flaw.
Authorization bypass in Master Addons for Elementor through version 2.0.9.9.4 allows attackers to exploit incorrectly configured access control via user-controlled keys, enabling unauthorized access to protected functionality without proper privilege validation. The vulnerability affects WordPress installations using the vulnerable plugin versions and carries low exploitation probability (EPSS 0.04%) with no confirmed active exploitation or public exploit code available.
Missing authorization controls in WP Grids EasyTest plugin versions up to 1.0.1 allow unauthenticated attackers to bypass access restrictions and perform unauthorized actions due to incorrectly configured access control security levels. The vulnerability enables exploitation of broken access control without authentication, though real-world exploitation probability remains low at 0.04% EPSS. No public exploit code or active exploitation has been identified.
Simple Like Page WordPress plugin versions 1.5.3 and earlier allows unauthenticated attackers to bypass access controls and perform unauthorized actions through incorrectly configured authentication checks, enabling exploitation of missing authorization enforcement in plugin functionality. The vulnerability affects the widely-deployed Simple Like Page plugin and has low estimated exploitation probability (EPSS 0.04%) but represents a classic access control weakness that could permit unauthorized modification of plugin data or settings.
Missing authorization in QuadLayers TikTok Feed WordPress plugin versions through 4.6.5 allows unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from improper validation of user permissions, enabling unauthorized access to protected functionality or data. While EPSS scoring indicates low exploitation probability (0.04th percentile), the authentication bypass classification suggests potential for privilege escalation or unauthorized administrative actions if discovered by an attacker.
Missing authorization controls in nicdark Hotel Booking WordPress plugin versions 3.8 and earlier allow unauthenticated attackers to bypass access restrictions through incorrectly configured security levels, potentially exposing sensitive booking and administrative functionality. The vulnerability has low exploitation probability (EPSS 0.04%) and no public exploit code has been identified, making it a lower-priority issue despite the high-impact CWE classification.
Missing authorization in Marco Milesi WP Attachments WordPress plugin through version 5.2 allows unauthenticated or low-privileged attackers to bypass access control restrictions and exploit incorrectly configured security levels to access protected attachments. The vulnerability stems from broken access control validation (CWE-862) and carries a low exploitation probability (EPSS 0.05%, 17th percentile), with no confirmed public exploit code or active exploitation documented at analysis time.
Missing authorization controls in nikmelnik Realbig media WordPress plugin versions up to 1.1.3 allow unauthenticated attackers to bypass access control restrictions and exploit misconfigured security levels, potentially exposing restricted content or functionality. The vulnerability is classified as a broken access control issue (CWE-862) with low exploitation probability (EPSS 0.04%) and no public exploit code identified at the time of analysis.
Missing authorization controls in NewClarity DMCA Protection Badge WordPress plugin versions up to 2.2.0 allow unauthenticated attackers to exploit incorrectly configured access control security levels, potentially exposing sensitive functionality or data protected by the badge mechanism. The vulnerability stems from insufficient permission validation (CWE-862) and presents an authentication bypass risk, though real-world exploitation likelihood is low based on EPSS scoring (0.04%, 13th percentile).
The Terms descriptions WordPress plugin versions 3.4.10 and earlier expose sensitive data through embedded information in sent data, allowing unauthenticated attackers to retrieve embedded sensitive information. This information disclosure vulnerability (CWE-201) affects all installations of the plugin up to version 3.4.10. No public exploit code has been identified, and the EPSS score of 0.04% indicates minimal real-world exploitation probability, though the vulnerability remains a concern for sites storing sensitive term metadata.
Missing authorization in SaifuMak Add Custom Codes WordPress plugin through version 4.80 allows unauthenticated or low-privileged attackers to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control mechanisms (CWE-862) that fail to properly validate user permissions before granting access to sensitive functionality. Despite a low EPSS score (0.05%, percentile 17%), the authentication bypass tag indicates potential for account takeover or privilege escalation.
Missing authorization controls in totalsoft Portfolio Gallery WordPress plugin versions through 1.4.8 allow unauthenticated attackers to exploit incorrectly configured access control security levels, potentially exposing sensitive gallery content and administrative functionality to unauthorized access. The vulnerability stems from broken access control mechanisms rather than authentication bypass, meaning authenticated users may also access resources beyond their privilege level. With an EPSS score of 0.05% (17th percentile) and no CVSS severity data, real-world exploitation appears limited despite the theoretical exposure.
Broken access control in Vollstart Serial Codes Generator and Validator with WooCommerce Support plugin through version 2.8.2 allows unauthenticated attackers to exploit misconfigured security levels and bypass authorization checks to access or manipulate serial code functionality. The vulnerability stems from missing authorization validation on security-sensitive operations, enabling attackers to perform actions without proper privilege verification. No public exploit code or active exploitation has been identified at time of analysis, though the low EPSS score (0.05%) suggests limited real-world exploitation probability despite the access control weakness.
Missing authorization in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin (versions up to 2.2.0) allows unauthenticated or low-privilege users to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control (CWE-862) where endpoint-level authorization checks are insufficient or absent, potentially allowing attackers to bypass intended security restrictions on sensitive functionality. No public exploit code or active exploitation has been confirmed; EPSS score of 0.04% indicates low real-world exploitation probability at time of analysis.
Stored cross-site scripting (XSS) vulnerability in Wayne Allen Postie WordPress plugin through version 1.9.73 allows authenticated attackers to inject malicious scripts into web pages that execute in the context of other users' browsers. The vulnerability stems from improper input neutralization during web page generation, enabling persistence of injected payloads in the application's data store. No public exploit code or active exploitation has been identified at time of analysis, though the low EPSS score (0.04th percentile) suggests limited real-world exploitation interest despite the vulnerability's presence in a plugin with unknown user base size.
DOM-based cross-site scripting (XSS) in WooCommerce Parcelas WordPress plugin versions up to 1.3.5 allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers without authentication. While EPSS scoring indicates low exploitation probability (0.01%), the DOM-based nature and lack of authentication barriers make this a persistent client-side threat in environments where the vulnerable plugin remains deployed.
Stored cross-site scripting (XSS) vulnerability in SaifuMak Add Custom Codes WordPress plugin versions 4.80 and earlier allows authenticated attackers to inject malicious JavaScript that persists in the database and executes in the browsers of site administrators and other users. The vulnerability stems from improper input sanitization when storing custom code, enabling attackers with plugin access to compromise site integrity and steal administrative credentials or sessions.
Missing authorization checks in Mohammed Kaludi Core Web Vitals & PageSpeed Booster WordPress plugin through version 1.0.28 allows unauthenticated attackers to exploit incorrectly configured access control to perform unauthorized actions. The vulnerability stems from broken access control (CWE-862), enabling attackers to bypass security restrictions and access sensitive functionality without proper authentication or privilege verification.
Stored cross-site scripting (XSS) in nicashmu Post Video Players WordPress plugin through version 1.163 allows authenticated attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability exists in the video-playlist-and-gallery-plugin and affects all versions up to and including 1.163; no public exploit code has been identified, but the low EPSS score (0.01%) suggests limited real-world exploitation likelihood despite the vulnerability's persistent nature.
Stored cross-site scripting (XSS) in plainware Locatoraid Store Locator WordPress plugin versions up to 3.9.68 allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the plugin's input handling during web page generation, enabling persistent XSS attacks. With an EPSS score of 0.01% and no active exploitation confirmed, this represents a low-probability but persistent risk requiring plugin updates.
Missing authorization controls in cedcommerce WP Advanced PDF plugin versions up to 1.1.7 allow attackers to bypass access restrictions and exploit incorrectly configured security levels. The vulnerability enables unauthenticated access to functionalities that should require proper authorization checks, potentially exposing sensitive PDF generation or management features to unauthorized users. No CVSS vector or active exploitation data is available, but the low EPSS score (0.04%) suggests minimal real-world attack activity.
Cross-Site Request Forgery vulnerability in A WP Life Contact Form Widget plugin version 1.5.1 and earlier allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability lacks a CVSS score and public exploit code, but is assigned low exploitation probability (EPSS 0.02%) and categorized under CWE-352 (CSRF). No active exploitation has been reported.
Stored cross-site scripting (XSS) in Soli WP Post Signature plugin through version 0.4.1 allows authenticated users to inject malicious scripts into post signatures, which execute in the browsers of administrators and other site visitors viewing affected posts. The vulnerability requires user interaction or administrative access to inject the payload but poses a risk to site integrity and user data. EPSS exploitation probability is minimal at 0.01%, suggesting low real-world attack likelihood despite the vulnerability class.
Stored cross-site scripting (XSS) in Imran Emu Logo Slider WordPress plugin versions 1.8.1 and earlier allows attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability affects the Logo Slider, Logo Carousel, Logo Showcase, and Client Logo plugin variants. An attacker with sufficient privileges to inject content (such as a contributor or compromised admin account) can embed arbitrary JavaScript to steal session tokens, deface pages, or redirect users to malicious sites. EPSS score of 0.01% indicates low exploitation probability in the wild, though the stored nature of the XSS elevates the persistence risk once injected.
DOM-based cross-site scripting in the ViitorCloud Technologies Add Featured Image Custom Link WordPress plugin (versions up to 2.0.0) allows unauthenticated attackers to inject arbitrary JavaScript into web pages through improper input sanitization. The vulnerability affects the custom URL handling mechanism for featured images, enabling malicious actors to steal session cookies, perform account takeover, or redirect users to phishing sites. EPSS score of 0.01% indicates minimal real-world exploitation probability despite the XSS classification.
DOM-based cross-site scripting (XSS) in SEO Slider WordPress plugin through version 1.1.1 allows authenticated or unauthenticated attackers to inject malicious scripts into the DOM, potentially enabling session hijacking, credential theft, or malware distribution. The vulnerability affects all versions up to and including 1.1.1 and has an EPSS score of 0.04% (14th percentile), indicating low real-world exploitation probability despite the XSS attack vector. No public exploit code or active exploitation has been confirmed.
Stored cross-site scripting (XSS) in WPFactory Maximum Products per User for WooCommerce plugin through version 4.4.3 allows authenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects WordPress installations using this WooCommerce extension, with an EPSS score of 0.04% indicating low real-world exploitation probability despite the XSS attack vector. No active exploitation has been confirmed.
Stored cross-site scripting (XSS) vulnerability in Bootstrap Modals WordPress plugin versions up to 1.3.2 allows authenticated attackers to inject and execute arbitrary JavaScript code that persists in the database and executes for all site visitors. The vulnerability stems from improper input neutralization during web page generation, enabling attackers with plugin-relevant permissions to compromise user sessions and steal sensitive data from administrators and site visitors.
ColorWay WordPress theme through version 4.2.3 embeds sensitive information in sent data, allowing unauthenticated attackers to retrieve embedded data without authentication. The vulnerability has an exceptionally low exploitation probability (EPSS 0.03%, 9th percentile) despite being information disclosure in nature, suggesting the sensitive data exposure requires specific conditions or limited practical impact. No active exploitation or public exploit code is documented at time of analysis.
Stored cross-site scripting (XSS) vulnerability in Livemesh Addons for Beaver Builder WordPress plugin versions 3.9.2 and earlier allows attackers to inject malicious scripts into web pages that execute in the browsers of site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling authenticated or privileged users to store malicious payloads that persist in the plugin's content. With an EPSS score of 0.04% (14th percentile), real-world exploitation likelihood is minimal, though the stored nature of the XSS means injected content could affect multiple end users if compromised.
Stored cross-site scripting (XSS) in Chris Steman Page Title Splitter WordPress plugin versions through 2.5.9 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators and visitors. The vulnerability exists in page generation functionality where user input is not properly sanitized before being rendered in web pages. EPSS score of 0.04% indicates low exploitation probability at present, with no confirmed active exploitation or public proof-of-concept identified.
Stored cross-site scripting (XSS) in MyBookTable Bookstore WordPress plugin version 3.6.0 and earlier allows authenticated or unauthenticated attackers to inject malicious scripts into web pages that execute in the context of other users' browsers. The vulnerability exists in the web page generation process where user input is not properly neutralized before being stored and rendered. No public exploit code has been identified, and the EPSS score of 0.04% suggests low real-world exploitation probability despite the XSS classification.
Stored cross-site scripting (XSS) in Custom Background Changer WordPress plugin through version 3.0 allows authenticated attackers to inject malicious JavaScript that persists in the database and executes for all users viewing affected pages. The vulnerability stems from improper input sanitization during web page generation, enabling attackers with plugin access to compromise user sessions and steal sensitive data. No public exploit code has been identified, and the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the vulnerability's technical severity.