WordPress

Stored cross-site scripting (XSS) in the kcseopro AdWords Conversion Tracking Code WordPress plugin version 1.0 and earlier allows attackers to inject malicious scripts into web pages, which are then executed in the browsers of other users viewing affected pages. The vulnerability stems from improper input sanitization during web page generation, enabling persistent XSS attacks that can compromise user sessions, steal credentials, or redirect visitors to malicious sites. EPSS score of 0.04% indicates low exploitation probability despite the stored XSS vector.

Stored cross-site scripting (XSS) in webvitaly Extra Shortcodes WordPress plugin through version 2.2 allows authenticated attackers to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability stems from improper input neutralization during web page generation, enabling persistence of arbitrary JavaScript code within the plugin's shortcode processing. The low EPSS score (0.04%) and lack of public exploit code suggest limited practical exploitation likelihood, though the stored nature of the vulnerability means injected payloads affect all subsequent visitors until remediated.

Stored cross-site scripting in thinkupthemes Consulting WordPress theme versions through 1.5.0 enables authenticated users or malicious admins to inject persistent JavaScript payloads that execute in the browsers of other site visitors or administrators. The vulnerability allows arbitrary script execution within the context of the affected WordPress installation, potentially leading to account compromise, malware distribution, or session hijacking. No public exploit code or active exploitation has been confirmed at time of analysis.

Stored cross-site scripting (XSS) in thinkupthemes Minamaze WordPress theme versions up to 1.10.1 allows authenticated users to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability has an EPSS score of 0.01% (3rd percentile), indicating minimal likelihood of exploitation in practice, though it represents a privilege-escalation pathway for authenticated attackers with contributor-level access or higher.

DOM-based cross-site scripting (XSS) in WebMan Amplifier WordPress plugin through version 1.5.12 allows attackers to inject malicious scripts that execute in users' browsers. The vulnerability stems from improper neutralization of user input during web page generation, enabling stored or reflected XSS attacks depending on the specific injection vector. With an EPSS score of 0.01% (3rd percentile) and no evidence of active exploitation, this represents a low real-world risk despite the XSS classification, though remediation is still recommended for all affected installations.

DOM-based cross-site scripting (XSS) in The Moneytizer WordPress plugin up to version 10.0.9 allows attackers to inject malicious scripts into web pages through improper input neutralization. The vulnerability affects WordPress sites running the vulnerable plugin versions and could enable session hijacking, credential theft, or malware distribution targeting site administrators and visitors. No public exploit code or active exploitation has been confirmed at this time, though the EPSS score of 0.01% suggests minimal real-world exploitation probability.

DOM-based cross-site scripting (XSS) in Bainternet User Specific Content WordPress plugin versions 1.0.6 and earlier allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers without authentication. While no public exploit code or active exploitation has been confirmed, the extremely low EPSS score (0.01%) and lack of CVSS vector data suggest limited real-world exploitability or specificity to attack scenarios, despite the XSS classification.

DOM-based cross-site scripting (XSS) in Genetech Products Web and WooCommerce Addons for WPBakery Builder (vc-addons-by-bit14) plugin versions up to 1.5 allows unauthenticated attackers to inject malicious scripts that execute in the context of affected user sessions. The vulnerability stems from improper neutralization of user-supplied input during web page generation. EPSS scoring (0.01%, percentile 3%) indicates very low real-world exploitation probability despite the nature of the flaw, and no public exploit code or active exploitation has been confirmed.

DOM-based cross-site scripting (XSS) vulnerability in the Responsive Block Control WordPress plugin through version 1.3.0 allows attackers to inject malicious scripts that execute in users' browsers. Exploitation requires user interaction with a malicious link or form, but once triggered, the vulnerability enables session hijacking, credential theft, or defacement. The vulnerability has an exceptionally low EPSS score (0.01th percentile) suggesting minimal real-world exploitation likelihood despite public disclosure.

DOM-based cross-site scripting (XSS) vulnerability in Ruhul Amin Content Fetcher WordPress plugin versions 1.1 and earlier allows authenticated attackers to inject arbitrary JavaScript code into web pages, potentially compromising site integrity and user sessions. The vulnerability resides in improper input neutralization during web page generation, enabling malicious scripts to execute in the context of affected websites. EPSS exploitation probability is extremely low at 0.01% (3rd percentile), indicating minimal real-world attack likelihood despite the XSS vector.

Stored cross-site scripting (XSS) in Tomas WordPress Tooltips plugin versions 10.9.3 and earlier allows authenticated attackers to inject malicious scripts into tooltip content that execute in the browsers of site administrators and other users. The vulnerability affects WordPress Tooltips through version 10.9.3, and exploitation requires an authenticated user with permissions to create or modify tooltips. No public exploit code or active exploitation has been identified at time of analysis.

Stored cross-site scripting (XSS) in wpforchurch Sermon Manager WordPress plugin through version 2.30.0 allows authenticated users to inject malicious scripts that persist in the database and execute in the browsers of site administrators and other users. The vulnerability affects sermon content input validation, enabling attackers with contributor or editor privileges to compromise website integrity and steal sensitive data from higher-privileged users.

Cross-Site Request Forgery (CSRF) in Everest Backup WordPress plugin versions ≤2.3.11 enables unauthenticated attackers to manipulate backup file paths via path traversal, potentially exposing sensitive files or altering backup integrity. The vulnerability requires user interaction (CVSS UI:R) and carries no authentication requirement (PR:N), allowing remote exploitation through social engineering. EPSS probability of 0.01% (1st percentile) indicates minimal observed exploitation activity in the wild, and no public exploit identified at time of analysis. Despite CVSS 8.1 severity reflecting high confidentiality and integrity impact, real-world risk remains moderate given the user-interaction dependency and absence of active exploitation indicators.

Stored cross-site scripting (XSS) vulnerability in BasePress Knowledge Base documentation & wiki plugin versions through 2.17.0.1 allows authenticated attackers to inject malicious scripts that persist in the database and execute in the browsers of other users viewing affected content. The vulnerability resides in improper input sanitization during web page generation, enabling attackers to compromise user sessions, steal credentials, or deface documentation within WordPress installations using BasePress. With EPSS exploitation probability at 0.04% (14th percentile), real-world exploitation risk is currently low, though the stored nature of the XSS makes it a persistence risk if discovered by threat actors.

Stored cross-site scripting (XSS) in BuddyDev BuddyPress Activity Shortcode plugin through version 1.1.8 allows attackers to inject and persist malicious scripts that execute in users' browsers. The vulnerability affects WordPress sites using this plugin, enabling attackers with plugin access to compromise user sessions and steal sensitive data. No public exploit code has been identified, and active exploitation has not been confirmed.

Stored cross-site scripting (XSS) in the Justin Tadlock Series WordPress plugin up to version 2.0.1 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage within the plugin's data structures. With an EPSS score of 0.04% and low exploitation probability, this represents a lower-priority but still exploitable vulnerability in a plugin with active distribution.

DOM-based cross-site scripting (XSS) in Funnelforms Free WordPress plugin version 3.8 and earlier allows authenticated attackers to inject malicious scripts through improper input neutralization during web page generation. The vulnerability has a low EPSS score (0.04%, 14th percentile) and no confirmed active exploitation, suggesting limited real-world attack probability despite the XSS classification.

Stored XSS vulnerability in MX Time Zone Clocks WordPress plugin versions up to 5.1.1 allows authenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input sanitization during web page generation, enabling persistent cross-site scripting attacks that could compromise site visitors, steal session tokens, or deface content. EPSS score of 0.04% indicates low real-world exploitation probability, though the stored nature of the XSS makes it a medium-priority remediation target for affected WordPress administrators.

Stored cross-site scripting (XSS) vulnerability in the Melos WordPress theme through version 1.6.0 allows attackers to inject and execute arbitrary JavaScript code that persists in the application and executes in the browsers of other users. The vulnerability affects all versions up to and including 1.6.0, and while no CVSS vector or EPSS exploitation probability is formally assigned, the low EPSS score (0.04th percentile) suggests minimal real-world exploitation likelihood despite the stored nature of the flaw.

Cross-site request forgery (CSRF) vulnerability in the WordPress Custom Post Status plugin up to version 1.1.0 enables attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored cross-site scripting (XSS) attacks. The CSRF protection bypass allows unauthenticated attackers to craft malicious requests that, when clicked by an admin, result in persistent JavaScript injection into the WordPress database. This is a chained vulnerability where CSRF-enabled request forgery leads to XSS payload storage.

Stored XSS vulnerability in the Recent Posts From Each Category WordPress plugin through version 1.4 exploitable via Cross-Site Request Forgery (CSRF), allowing unauthenticated attackers to inject malicious scripts that execute in the context of site administrators and visitors. The vulnerability combines a CSRF flaw with inadequate input sanitization, enabling persistent payload storage that affects all users viewing affected plugin output.

Cross-site request forgery (CSRF) in the Marcin Kijak Noindex by Path WordPress plugin through version 1.0 allows unauthenticated attackers to perform unauthorized administrative actions such as modifying plugin settings via crafted HTML or JavaScript on attacker-controlled sites. The vulnerability chaining with stored XSS enables attackers to inject malicious scripts that persist in the plugin's data, affecting all users who access the compromised settings. No public exploit code has been identified, and real-world exploitation risk is minimal (EPSS 0.02%), indicating this is primarily a theoretical risk in low-traffic or neglected WordPress installations.

WP-EasyArchives WordPress plugin versions 3.1.2 and earlier contains a cross-site request forgery (CSRF) vulnerability that enables stored cross-site scripting (XSS) attacks. An unauthenticated attacker can craft a malicious request to trick authenticated administrators into performing unintended actions, potentially injecting persistent JavaScript payloads that execute in the browsers of all site visitors. With an EPSS score of 0.02% (5th percentile), this vulnerability represents minimal real-world exploitation probability despite the attack chain complexity.

Cross-site request forgery (CSRF) vulnerability in reneade SensitiveTagCloud WordPress plugin through version 1.4.1 allows attackers to perform unauthorized actions on behalf of authenticated administrators, potentially combined with stored XSS to inject malicious content. The vulnerability affects all versions up to and including 1.4.1, with no CVSS vector provided, but EPSS data suggests low real-world exploitation probability (0.02% percentile).

Cross-site request forgery (CSRF) vulnerability in the Social Profilr WordPress plugin version 1.0 and earlier allows attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored cross-site scripting (XSS) attacks. The vulnerability affects the social-profilr-display-social-network-profile plugin and carries a low exploitation probability (EPSS 0.02%), with no public exploit code or confirmed active exploitation identified at the time of analysis.

Cross-Site Request Forgery (CSRF) in the Custom Style WordPress plugin up to version 1.0 enables attackers to perform unauthorized administrative actions, potentially leading to stored cross-site scripting (XSS) injection. The vulnerability affects all versions from initial release through 1.0, with no CVSS score published but an EPSS score of 0.02% indicating minimal observed exploitation probability. No active KEV status or public exploit code has been identified.

Stored XSS via CSRF in eleopard Behance Portfolio Manager WordPress plugin versions up to 1.7.5 allows authenticated attackers to inject malicious scripts through cross-site request forgery mechanisms, potentially compromising site administrators and visitors. The EPSS score of 0.02% indicates low exploitation probability, though the vulnerability type suggests a chainable attack vector when combined with social engineering. No CVSS score was assigned, limiting quantification of attack complexity and privilege requirements.

Cross-site request forgery (CSRF) vulnerability in Simple Archive Generator WordPress plugin through version 5.2 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators, potentially leading to stored XSS injection. The vulnerability requires tricking an administrator into visiting a malicious page but carries low exploitation probability (EPSS 0.02%) despite being simple to execute, suggesting limited real-world weaponization.

Local file inclusion vulnerability in MadrasThemes MAS Videos WordPress plugin versions up to 1.3.4 allows unauthenticated attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. The vulnerability affects the masvideos plugin and has been tracked by Patchstack with an EPSS score of 0.17% (38th percentile), indicating low exploitation probability despite the presence of information disclosure risk.

WP-CalDav2ICS WordPress plugin through version 1.3.4 contains a Cross-Site Request Forgery (CSRF) vulnerability that enables Stored XSS attacks. The vulnerability allows unauthenticated attackers to craft malicious requests that, when executed by a logged-in administrator or user, inject persistent malicious scripts into the plugin's stored data. This combined CSRF+XSS chain can lead to persistent compromise of the WordPress site through script injection.

DOM-based cross-site scripting (XSS) in WPCal.io WordPress plugin versions 0.9.5.9 and earlier allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during web page generation, enabling attackers to execute arbitrary JavaScript in the context of affected websites. No CVSS score is available, but the EPSS score of 0.04% (14th percentile) indicates low practical exploitation likelihood despite the XSS vector being a common attack class.

Missing authorization in SiteLock Security WordPress plugin versions through 5.0.1 allows attackers to exploit incorrectly configured access control to bypass security restrictions. Unauthenticated remote attackers can leverage this CWE-862 vulnerability to gain unauthorized access to protected functionality or resources without proper privilege validation. The issue is tagged as an authentication bypass with low EPSS exploitation probability (0.05%, 17th percentile), indicating limited real-world attack likelihood despite the authorization flaw.

Cross-site request forgery (CSRF) vulnerability in the Easy Property Listings XML/CSV Import plugin for WordPress (versions <= 2.2.1) allows attackers to perform unauthorized actions on behalf of authenticated administrators without their knowledge or consent. The vulnerability affects the import functionality and carries minimal real-world exploitation risk based on EPSS scoring (0.02%, 5th percentile), indicating low likelihood of automated exploitation despite the CSRF vector requiring no special privileges or authentication from the attacker's perspective.

Blind SQL Injection in Appointify WordPress plugin version 1.0.8 and earlier allows unauthenticated remote attackers to execute arbitrary SQL commands against the underlying database. The vulnerability enables data extraction and manipulation through time-based or error-based inference techniques without requiring valid credentials or authentication. EPSS score of 0.04% indicates low statistical likelihood of exploitation despite the technical severity of SQL injection.

CSRF vulnerability in WING WordPress Migrator plugin through version 1.2.0 permits unauthenticated attackers to upload web shells to affected WordPress sites by tricking site administrators into visiting a malicious webpage. The vulnerability exploits missing nonce verification in file upload functionality, enabling arbitrary code execution with web server privileges. No public exploit code or active exploitation confirmed at time of analysis.

Missing authorization controls in WP Cookie Notice for GDPR, CCPA & ePrivacy Consent plugin (versions up to 4.0.3) allow unauthenticated attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized modification of cookie consent settings and GDPR compliance configurations. No public exploit code has been identified at time of analysis, though the vulnerability carries a low EPSS score (0.06%, 19th percentile) suggesting minimal real-world exploitation likelihood despite the authorization flaw.

DOM-based cross-site scripting (XSS) in 8theme XStore Core plugin (et-core-plugin) versions below 5.6 allows attackers to inject malicious scripts that execute in users' browsers during web page generation. The vulnerability affects WordPress installations using the vulnerable plugin, and while no CVSS score was assigned, the extremely low EPSS score (0.04%) suggests minimal real-world exploitation likelihood despite the XSS classification.

Stored cross-site scripting (XSS) in webcreations907 WBC907 Core WordPress plugin versions up to 3.4.1 allows attackers to inject and execute malicious JavaScript that persists in the application, potentially compromising users who view affected pages. The vulnerability stems from improper input neutralization during web page generation. No public exploit code or active exploitation has been identified at the time of analysis, though the attack vector and complexity depend on the specific injection point within the plugin.

Stored cross-site scripting (XSS) in CodeFlavors Featured Video for WordPress (VideographyWP) plugin version 1.0.18 and earlier allows authenticated attackers to inject malicious scripts that execute in the browsers of other site users, potentially compromising administrator accounts and site integrity. The vulnerability stems from improper input sanitization during web page generation, and no public exploit code has been identified at the time of analysis.

Roxnor PopupKit popup-builder-block plugin through version 2.2.4 exposes sensitive system information to authenticated users via an information disclosure vulnerability. An authenticated attacker can retrieve embedded sensitive data that should not be accessible, potentially gaining insight into system configuration or other restricted information. The CVSS 4.3 score reflects low real-world impact (confidentiality only, low privileges required), and EPSS exploitation probability is minimal at 0.04%, indicating this is a lower-priority vulnerability despite affecting a WordPress plugin.

HR Management Lite WordPress plugin versions 3.6 and earlier contain a missing authorization vulnerability allowing authenticated users to access or modify resources without proper access control checks. An attacker with low-privilege user credentials can exploit incorrectly configured access control to read or modify sensitive data within the plugin's functionality, though the vulnerability requires prior authentication and does not enable privilege escalation or system-wide impact.

Stored Cross-Site Scripting (XSS) in Magnigenie RestroPress WordPress plugin through version 3.2.8.4 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising session tokens, stealing sensitive data, or defacing content. The vulnerability requires user interaction (UI:R) and affects only authenticated attackers (PR:L), limiting immediate exploitation risk despite the moderate CVSS score of 6.5. No public exploit code or active exploitation has been confirmed at time of analysis.

Authenticated users without proper authorization can modify content in the auxin-elements WordPress plugin (versions up to 2.17.15) due to missing access control checks on shortcode functionality. The vulnerability requires an authenticated account with low privileges and allows integrity compromise through shortcode manipulation, with an EPSS score of 0.04% indicating low real-world exploitation likelihood despite confirmed access control weakness.

Authorization bypass in wpDiscuz WordPress plugin through version 7.6.43 allows unauthenticated remote attackers to access user-controlled data via improperly configured access controls, resulting in limited information disclosure with a CVSS score of 5.3. The vulnerability exploits insecure direct object references (IDOR) where access control checks fail to properly validate object ownership, enabling attackers to enumerate or retrieve comment data they should not access. No public exploit code or active exploitation has been confirmed at this time, though the EPSS score of 0.04% suggests minimal real-world exploitation likelihood despite the relatively accessible attack vector.

Missing authorization in Premio My Sticky Elements plugin (version 2.3.3 and earlier) allows authenticated users to modify data they should not have access to due to incorrectly configured access control security levels. The vulnerability requires an authenticated attacker with low privileges and carries a CVSS score of 4.3 with low real-world exploitation probability (EPSS 0.04%). No public exploit code or active exploitation has been identified.

Sensitive data exposure in Contact Form 7 Mailchimp Extension plugin for WordPress (versions ≤0.9.68) allows unauthenticated remote attackers to retrieve embedded sensitive information through network-accessible endpoints. The vulnerability enables unauthorized access to confidential data with low attack complexity and no user interaction required. EPSS score of 0.05% (14th percentile) indicates low observed exploitation probability, and no public exploit identified at time of analysis.

Local file inclusion in Edge-Themes Cinerama WordPress theme versions ≤2.9 enables unauthenticated remote attackers to read arbitrary server files through PHP file inclusion weaknesses. Despite the CVSS critical rating of 9.8, EPSS probability is low (0.17%, 38th percentile) with no public exploit identified at time of analysis. The vulnerability allows server-side file reading which could expose configuration files, credentials, and sensitive data without authentication requirements.

DOM-based cross-site scripting (XSS) in Crocoblock JetTabs WordPress plugin versions up to 2.2.12 allows attackers to inject malicious scripts that execute in users' browsers when viewing affected pages. The vulnerability stems from improper input neutralization during web page generation, enabling stored or reflected XSS attacks without requiring authentication. With an EPSS score of 0.04% (14th percentile), exploitation likelihood is very low despite the publicly documented vulnerability.

Missing authorization in Crocoblock JetTabs WordPress plugin version 2.2.12 and earlier allows unauthenticated or low-privileged attackers to bypass access control restrictions and exploit misconfigured security levels. The vulnerability stems from improper validation of user permissions before executing sensitive operations, potentially enabling unauthorized access to restricted plugin functionality or data.

WP Project Manager plugin through version 3.0.1 exposes sensitive information in sent data due to improper information handling, allowing attackers to retrieve embedded sensitive data without authentication. The vulnerability affects all installations of the weDevs plugin and has been identified with an extremely low EPSS score (0.05%, 14th percentile), suggesting minimal practical exploitation likelihood despite the information disclosure classification.

CubeWP framework plugin through version 1.1.27 fails to enforce proper access control checks, allowing attackers to access functionality that should be restricted by access control lists. This authentication bypass vulnerability has low real-world exploitation probability (EPSS 0.05%) but represents a fundamental authorization flaw in the plugin's architecture that could enable privilege escalation or unauthorized feature access depending on implementation context.

Reflected cross-site scripting (XSS) in the Off Page SEO WordPress plugin through version 3.0.3 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session cookies, redirect users, or perform actions on behalf of victims through crafted URLs. No public exploit code has been identified, and the low EPSS score (0.04%) suggests minimal real-world exploitation likelihood despite the moderate theoretical attack surface.

Reflected cross-site scripting (XSS) in the Rakessh Ads24 Lite WordPress plugin (wp-ad-management) up to version 1.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers when visited, potentially compromising user sessions, stealing credentials, or defacing content. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04%) suggests limited real-world exploitation likelihood despite the straightforward attack vector.

Stored cross-site scripting (XSS) in WordPress Custom Field Template plugin through version 2.7.7 allows authenticated users to inject malicious scripts that execute in the browsers of other users who view affected content, potentially compromising site security and user data. The vulnerability has an EPSS score of 0.04% (14th percentile), indicating low real-world exploitation probability despite the high-impact nature of stored XSS on WordPress sites.

DOM-based cross-site scripting (XSS) in Crocoblock JetSearch WordPress plugin through version 3.5.16 allows attackers to inject malicious scripts into the search interface that execute in users' browsers. The vulnerability affects the plugin's web page generation when processing search input, enabling attackers to steal session tokens, redirect users, or perform actions on behalf of authenticated users without requiring authentication themselves. No CVSS score was available at analysis time, but the low EPSS score (0.04%, 14th percentile) suggests limited real-world exploitation likelihood despite the XSS vector.

Missing authorization in Crocoblock JetBlog plugin versions up to 2.4.7 allows unauthenticated attackers to exploit incorrectly configured access control, potentially bypassing intended security restrictions on blog content and administrative functions. The vulnerability stems from broken access control mechanisms that fail to properly validate user permissions before granting access to sensitive operations, with an EPSS score of 0.04% indicating low real-world exploitation probability despite the authorization defect.

Authorization Bypass in Crocoblock JetPopup WordPress plugin through version 2.0.20.1 allows attackers to exploit incorrectly configured access control security levels via user-controlled keys, enabling unauthorized access to protected popup content and functionality. EPSS score of 0.04% indicates low exploitation probability despite the authorization flaw; no public exploit code or active exploitation has been identified.

Missing authorization in Plugin Optimizer WordPress plugin through version 1.3.7 allows attackers to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from improper authentication validation (CWE-862), enabling attackers to bypass security restrictions without proper administrative privileges. While EPSS scoring (0.06%, 17th percentile) indicates low exploitation probability, the authentication bypass classification warrants prompt patching.

Stored cross-site scripting (XSS) in codeaffairs Wp Text Slider Widget plugin for WordPress versions 1.0 and earlier enables authenticated attackers to inject malicious scripts that execute in the browsers of site administrators and other users. The vulnerability arises from improper input sanitization during widget configuration, allowing persistent code injection through the plugin's admin interface.

Remote code injection in IF AS Shortcode WordPress plugin versions up to 1.2 allows attackers to execute arbitrary code through improper handling of shortcode parameters. The vulnerability stems from CWE-94 (Improper Control of Code Generation) and affects WordPress installations using this plugin. Patchstack reported the vulnerability; however, no CVSS vector is provided and EPSS probability is low at 0.07%, suggesting limited real-world exploit activity at the time of analysis.

Server-Side Request Forgery (SSRF) in WordPress Image Shrinker plugin versions up to 1.1.0 enables unauthenticated remote attackers to forge requests from the affected server to internal or external resources, potentially exposing sensitive data or enabling lateral movement within network infrastructure. The vulnerability has extremely low exploitation probability (EPSS 0.04th percentile) and no public exploit code identified, suggesting limited real-world threat despite the technical severity of SSRF vulnerabilities.

Reflected cross-site scripting (XSS) in the Content Grid Slider WordPress plugin through version 1.5 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can craft a malicious URL containing script payloads that execute in the victim's browser when the page is rendered, potentially enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed; the EPSS score of 0.04% indicates minimal real-world exploitation likelihood despite the vulnerability's technical severity.

Reflected cross-site scripting (XSS) in Advanced Custom CSS WordPress plugin versions through 1.1.0 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session tokens, credentials, or perform actions on behalf of victims through crafted URLs. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04th percentile) suggests limited real-world exploitation risk despite the straightforward attack vector.

Local file inclusion in CedCommerce Integration for Good Market WordPress plugin versions 1.0.6 and earlier allows unauthenticated attackers to read arbitrary files from the server via improper filename validation in PHP include/require statements. The vulnerability affects a popular e-commerce integration plugin used by WooCommerce merchants, exposing sensitive configuration files, database credentials, and other sensitive data accessible to the web server process. EPSS probability of 0.14% suggests low real-world exploitation likelihood despite the information disclosure impact.

Stored XSS in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin (versions <= 2.3.23) allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of site visitors, potentially compromising site integrity and user data. The vulnerability requires user interaction (viewing a page with the injected content) and affects the site's security context (SameSite:Changed per CVSS:3.1/S:C). EPSS score of 0.04% indicates low real-world exploitation probability despite CVE publication.

Open redirect vulnerability in Scott Paterson Accept Donations with PayPal & Stripe WordPress plugin (versions <= 1.5.2) enables attackers to craft malicious URLs that redirect users to untrusted sites, facilitating phishing attacks. The vulnerability requires user interaction (UI:R) but affects the plugin's core donation handling, allowing an unauthenticated attacker to chain this with social engineering to compromise user credentials or distribute malware through redirects to fraudulent payment pages.

Cross-Site Request Forgery (CSRF) in Five Star Restaurant Reservations WordPress plugin versions ≤2.7.8 enables unauthenticated attackers to perform unauthorized administrative actions through social engineering. With CVSS 8.8 (High), the vulnerability requires no privileges and low attack complexity, though user interaction is necessary. EPSS probability is minimal (0.02%, 6th percentile), indicating low observed exploitation likelihood despite the high CVSS score. No confirmed active exploitation (not in CISA KEV) or public exploit code identified at time of analysis.

Server-Side Request Forgery in WordPress Link Library plugin versions up to 7.8.7 allows unauthenticated remote attackers to make arbitrary HTTP requests from the server, potentially accessing internal resources, cloud metadata endpoints, or conducting reconnaissance of internal network infrastructure. CVSS score of 9.1 indicates high severity, though EPSS of 0.04% (14th percentile) suggests limited observed exploitation attempts. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis.

Stored cross-site scripting (XSS) in Live Composer page builder plugin for WordPress (versions through 2.1.11) allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users viewing affected pages. An attacker with contributor or editor access can store XSS payloads that persist in the database and execute when administrators or other site visitors interact with the affected content, potentially leading to session hijacking, credential theft, or malware distribution.

Stored cross-site scripting (XSS) in BlueGlass Interactive AG Jobs for WordPress plugin versions 2.8.1 and earlier allows authenticated users with low privileges to inject malicious scripts into job postings that execute in the browsers of other site visitors. The vulnerability requires user interaction (clicking a crafted link) and affects website visitors with cross-site request forgery capabilities, resulting in limited confidentiality and integrity impact but no availability impact. The issue has a low exploitation probability (EPSS 0.04%) despite publicly disclosed details.

Broken access control in Trustindex Widgets for Social Photo Feed (WordPress plugin) through version 1.8 allows authenticated attackers with low privileges to bypass authorization controls and execute high-impact actions. The vulnerability has low attack complexity (CVSS:3.1 AV:N/AC:L/PR:L) enabling compromise of confidentiality, integrity, and availability. EPSS score of 0.06% (18th percentile) indicates relatively low observed exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis, suggesting this remains a patch-priority issue rather than an active threat.

Broken access control in Opinion Stage Poll, Survey & Quiz Maker Plugin for WordPress versions through 19.12.0 allows authenticated attackers with low-level privileges to bypass authorization checks and access or modify high-sensitivity data. The vulnerability (CWE-862: Missing Authorization) enables privilege escalation through improperly configured access control mechanisms. EPSS probability is low at 0.04% (13th percentile), and no public exploit identified at time of analysis, though authentication bypass tags indicate established attack patterns exist for this vulnerability class.

Missing authorization in Simple File List WordPress plugin 6.1.18 and earlier allows authenticated low-privilege users to bypass access controls and gain unauthorized read/write access to file list data. Tagged as an authentication bypass vulnerability with EPSS score of 0.04% (13th percentile), indicating low observed exploitation probability. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Broken access control in WP Telegram Widget and Join Link plugin versions up to 2.2.12 allows authenticated users with low privileges to bypass authorization checks and access high-sensitivity configuration or data. The vulnerability enables unauthorized read and write operations (CVSS C:H/I:H) without requiring user interaction. EPSS score of 0.04% suggests low observed exploitation probability, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Access control bypass in TS Poll WordPress plugin (versions ≤2.5.5) allows low-privileged authenticated users to escalate privileges and gain unauthorized read/write access to poll data. Attackers with basic subscriber accounts can exploit misconfigured authorization checks to access or modify content beyond their intended permission level. EPSS exploitation probability is low (0.04%, 13th percentile), with no public exploit identified at time of analysis, suggesting limited immediate risk despite the 8.1 CVSS score.

Broken access control in WP Time Slots Booking Form plugin (≤1.2.39) allows authenticated attackers with low-level privileges to escalate permissions and execute unauthorized administrative actions. The vulnerability stems from missing authorization checks (CWE-862), enabling privilege escalation to access, modify, or delete sensitive booking data and configuration settings. While CVSS scores 8.8 (High), real-world risk appears moderate with EPSS at 0.06% (18th percentile) and no public exploit identified at time of analysis.

Missing authorization in Claspo WordPress plugin through version 1.0.7 allows unauthenticated remote attackers to modify data via incorrectly configured access controls. With CVSS 7.5 (High integrity impact) but only 0.04% EPSS probability, this represents elevated exposure in vulnerable installations despite low observed exploitation likelihood. No public exploit identified at time of analysis, though the authentication bypass tag indicates potential for unauthorized actions without credentials.

Cross-Site Request Forgery in WordPress plugin My Auctions Allegro (versions ≤3.6.33) allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through social engineering. CVSS 8.8 severity stems from potential high confidentiality, integrity, and availability impact if victims are tricked into clicking malicious links while authenticated. EPSS score of 0.02% (6th percentile) indicates very low probability of exploitation in the wild. No active exploitation confirmed (not in CISA KEV), and no public exploit identified at time of analysis, suggesting this remains a theoretical high-severity issue requiring user interaction.

Stored cross-site scripting (XSS) in WordPress plugin My auctions allegro (versions up to 3.6.35) allows authenticated users to inject malicious scripts that execute in other users' browsers when viewing auction content. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of affected WordPress installations, though with limited scope within the plugin context. No public exploit code or active exploitation has been identified; real-world risk is moderate given the requirement for authenticated access and user interaction.

Blind SQL injection in User Feedback WordPress plugin (versions ≤1.10.0) allows unauthenticated remote attackers to extract database contents, modify data, or execute administrative commands. The vulnerability carries a critical CVSS score of 9.8 due to network-based exploitation requiring no privileges or user interaction. While EPSS probability is low (0.05%, 14th percentile) and no active exploitation is confirmed at time of analysis, the severity and unauthenticated attack vector make this a priority for WordPress administrators using this plugin. Patchstack security audit identified this flaw as CWE-89 SQL injection stemming from improper input sanitization.

PHP object injection in Icegram Express Pro (WordPress email marketing plugin) through version 5.9.13 enables unauthenticated remote attackers to execute arbitrary code via unsafe deserialization of user-controlled data. With CVSS 9.8 (critical severity) and network-accessible attack vector requiring no authentication or user interaction, this represents a severe pre-authentication RCE risk. EPSS score of 0.06% (19th percentile) suggests low immediate exploitation probability, and no public exploit or CISA KEV listing identified at time of analysis, though Patchstack disclosure increases attacker awareness.

SQL injection in AutomatorWP WordPress plugin through version 5.2.4 allows authenticated attackers to execute arbitrary SQL commands. The vulnerability exists in the plugin's database query handling where user-supplied input is not properly sanitized before being used in SQL statements. While EPSS scoring indicates low exploitation probability (0.04th percentile), the SQL injection vector represents a critical capability if exploited, potentially enabling data exfiltration, modification, or deletion from the affected WordPress database.

Local file inclusion vulnerability in CodexThemes TheGem Theme Elements (for Elementor) WordPress plugin through version 5.10.5.1 allows attackers to read arbitrary files from the server via improper control of filename parameters in PHP include/require statements. The vulnerability carries a low EPSS score of 0.17% (38th percentile), indicating minimal real-world exploitation probability despite being a classic PHP file inclusion flaw affecting an Elementor page builder plugin.

Cross-site scripting (XSS) vulnerability in CodexThemes TheGem Theme Elements (for Elementor) plugin through version 5.10.5.1 allows improper neutralization of input during web page generation. Attackers can inject malicious scripts that execute in the context of other users' browsers, potentially compromising WordPress site visitors and administrators. No active exploitation has been confirmed at time of analysis, though the low EPSS score (0.04%) suggests limited real-world exploitation likelihood despite the vulnerability's presence in a widely-used Elementor theme plugin.

Missing authorization controls in VillaTheme HAPPY helpdesk plugin versions up to 1.0.9 allow unauthenticated attackers to bypass access restrictions and interact with support ticket functionality without proper permission verification. This authentication bypass vulnerability affects WordPress installations using the vulnerable plugin and could permit unauthorized access to sensitive support tickets and helpdesk operations. The issue has been reported by Patchstack security researchers with a low EPSS exploitation probability (0.04%) despite the authorization flaw.

Blind SQL injection in VillaTheme WPBulky plugin through version 1.1.13 allows attackers to extract sensitive data from WordPress databases via improper neutralization of SQL command elements. The vulnerability affects the wpbulky-wp-bulk-edit-post-types plugin and is confirmed by security audit firm Patchstack, though no public exploit code or active exploitation has been documented at time of analysis.

Stored cross-site scripting (XSS) in WebCodingPlace Responsive Posts Carousel Pro WordPress plugin versions 15.2 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability resides in improper input sanitization during web page generation, enabling attackers to compromise site integrity and steal sensitive user data. EPSS exploitation probability is notably low (0.04%, 14th percentile), suggesting limited real-world attack incentive despite the stored nature of the flaw.

Local file inclusion (LFI) vulnerability in Thembay Nika WordPress theme version 1.2.14 and earlier allows unauthenticated attackers to read arbitrary files from the server via improper control of filename parameters in PHP include/require statements. The vulnerability has a low EPSS score (0.17%, 38th percentile) and no confirmed active exploitation, but successful exploitation could disclose sensitive configuration files, source code, or other protected data.

Local file inclusion (LFI) vulnerability in thembay Diza WordPress theme through version 1.3.15 allows unauthenticated attackers to read arbitrary files from the server filesystem via improper control of filename parameters in PHP include/require statements. The vulnerability affects all versions of Diza up to and including 1.3.15, with no public exploit code identified at time of analysis, though the low EPSS score (0.17%) suggests limited real-world exploitation probability despite the attack vector being remote and unauthenticated.

Cross-Site Request Forgery in Premium Addons for Elementor plugin versions up to 4.11.53 allows unauthenticated remote attackers to create arbitrary Elementor templates by exploiting missing nonce validation in the 'insert_inner_template' function. An attacker must trick a site administrator or user with edit_posts capability into clicking a malicious link, but no public exploit code has been identified. The EPSS score of 0.02% indicates this vulnerability has very low exploitation probability in practice despite the CVSS 4.3 rating.