WordPress
Monthly
Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely qubely allows Stored XSS.This issue affects Qubely: from n/a through <= 1.8.14.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for Elementor addons-for-elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through <= 9.0.
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Portfolio grandportfolio allows Cross Site Request Forgery.This issue affects Grand Portfolio: from n/a through <= 3.3.
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Blog grandblog allows Cross Site Request Forgery.This issue affects Grand Blog: from n/a through <= 3.1.
Server-Side Request Forgery (SSRF) vulnerability in Getty Images Getty Images getty-images allows Server Side Request Forgery.This issue affects Getty Images: from n/a through <= 4.1.0.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through <= 1.3.0.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8.
Missing Authorization vulnerability in kutethemes Biolife biolife allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Biolife: from n/a through <= 3.2.3.
Missing Authorization vulnerability in acmethemes Education Base education-base allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Education Base: from n/a through <= 3.0.8.
Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Appointment appointment allows Upload a Web Shell to a Web Server.This issue affects Appointment: from n/a through <= 3.5.5.
Cross-Site Request Forgery (CSRF) vulnerability in themearile NewsExo newsexo allows Cross Site Request Forgery.This issue affects NewsExo: from n/a through <= 7.1.
Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through <= 1.4.0.
Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player-7-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JW Player for WordPress: from n/a through <= 2.3.6.
Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KuteShop: from n/a through <= 4.2.9.
Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpXmas-Snow: from n/a through <= 1.1.
Missing Authorization vulnerability in iPOSPays iPOSpays Gateways WC ipospays-gateways-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iPOSpays Gateways WC: from n/a through <= 1.3.7.
Missing Authorization vulnerability in Foysal Imran BizReview bizreview allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BizReview: from n/a through <= 1.5.13.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookTable Bookstore mybooktable allows Stored XSS.This issue affects MyBookTable Bookstore: from n/a through <= 3.6.0.
Missing Authorization vulnerability in Rustaurius Order Tracking order-tracking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Tracking: from n/a through <= 3.4.3.
Missing Authorization vulnerability in nmerii NM Gift Registry and Wishlist Lite nm-gift-registry-and-wishlist-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NM Gift Registry and Wishlist Lite: from n/a through <= 5.13.
Insertion of Sensitive Information Into Sent Data vulnerability in Ateeq Rafeeq RepairBuddy computer-repair-shop allows Retrieve Embedded Sensitive Data.This issue affects RepairBuddy: from n/a through <= 4.1132.
Missing Authorization vulnerability in Arraytics Booktics booktics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booktics: from n/a through <= 1.0.16.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Retrieve Embedded Sensitive Data.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through < 5.6.5.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themefic Instantio instantio allows Retrieve Embedded Sensitive Data.This issue affects Instantio: from n/a through <= 3.3.30.
Insertion of Sensitive Information Into Sent Data vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Retrieve Embedded Sensitive Data.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Designinvento DirectoryPress directorypress allows Retrieve Embedded Sensitive Data.This issue affects DirectoryPress: from n/a through <= 3.6.26.
Insertion of Sensitive Information Into Sent Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Retrieve Embedded Sensitive Data.This issue affects Sunshine Photo Cart: from n/a through < 3.6.2.
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.10.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themeStek LabtechCO labtechco allows PHP Local File Inclusion.This issue affects LabtechCO: from n/a through <= 8.3.
Insertion of Sensitive Information Into Sent Data vulnerability in Doofinder Doofinder for WooCommerce doofinder-for-woocommerce allows Retrieve Embedded Sensitive Data.This issue affects Doofinder for WooCommerce: from n/a through <= 2.10.13.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Mikado Core mikado-core allows PHP Local File Inclusion.This issue affects Mikado Core: from n/a through <= 1.6.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Chill RSVP and Event Management rsvp allows Retrieve Embedded Sensitive Data.This issue affects RSVP and Event Management: from n/a through <= 2.7.16.
Missing Authorization vulnerability in fullworks Display Eventbrite Events widget-for-eventbrite-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Display Eventbrite Events: from n/a through <= 6.5.6.
Authorization Bypass Through User-Controlled Key vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpStream: from n/a through < 4.11.2.
Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content nelio-content allows Server Side Request Forgery.This issue affects Nelio Content: from n/a through <= 4.3.1.
Missing Authorization vulnerability in weDevs weDocs wedocs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects weDocs: from n/a through <= 2.1.18.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Retrieve Embedded Sensitive Data.This issue affects Nexter Blocks: from n/a through <= 4.7.0.
Authorization Bypass Through User-Controlled Key vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Photo Gallery Final Tiles Grid: from n/a through <= 3.6.11.
Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.5.10.
DOM-based cross-site scripting (XSS) in Advanced Coupons for WooCommerce Coupons plugin (versions up to 4.7.1.1) allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with the same privileges as the site context, affecting confidentiality, integrity, and availability of the WordPress installation. The vulnerability has an EPSS score of 0.03% (8th percentile), indicating low real-world exploitation probability despite the moderate CVSS 6.5 rating.
Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine (Pro): from n/a through < 3.4.2.
Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a through <= 0.1.2.5.
Missing authorization in RealMag777 FOX woocommerce-currency-switcher plugin for WordPress allows unauthenticated remote attackers to bypass access controls and gain read access to sensitive data through incorrectly configured security levels. The vulnerability affects FOX versions up to and including 1.4.5, with a CVSS score of 5.3 and extremely low exploitation probability (EPSS 0.02%), suggesting limited real-world attack incentive despite the missing authorization flaw.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesflat themesflat-addons-for-elementor themesflat-addons-for-elementor allows Stored XSS.This issue affects themesflat-addons-for-elementor: from n/a through <= 2.3.2.
Blind SQL injection in FOX WooCommerce Currency Switcher plugin (versions ≤1.4.5) allows authenticated high-privilege users to extract database contents via crafted SQL commands. Attacker requires high-privilege access (PR:H) but can breach scope boundaries (S:C), achieving high confidentiality impact and limited availability disruption. No public exploit identified at time of analysis. Affects WordPress installations using the vulnerable plugin for multi-currency e-commerce functionality.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YayMail yaymail allows Blind SQL Injection.This issue affects YayMail: from n/a through <= 4.3.3.
Missing Authorization vulnerability in SureCart SureCart surecart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SureCart: from n/a through <= 4.0.2.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Chill Download Monitor download-monitor allows Blind SQL Injection.This issue affects Download Monitor: from n/a through <= 5.1.8.
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in John Darrel Hide My WP Ghost hide-my-wp allows Phishing.This issue affects Hide My WP Ghost: from n/a through < 7.0.00.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidekazu Ishikawa VK All in One Expansion Unit vk-all-in-one-expansion-unit allows Stored XSS.This issue affects VK All in One Expansion Unit: from n/a through <= 9.113.3.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PublishPress Post Expirator post-expirator allows DOM-Based XSS.This issue affects Post Expirator: from n/a through <= 4.9.4.
Missing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Feedback: from n/a through <= 1.10.1.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through <= 1.10.1.
Insertion of Sensitive Information Into Sent Data vulnerability in Pär Thernström Simple History simple-history allows Retrieve Embedded Sensitive Data.This issue affects Simple History: from n/a through <= 5.24.0.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Broken Link Checker broken-link-checker allows Blind SQL Injection.This issue affects Broken Link Checker: from n/a through <= 2.4.7.
Server-Side Request Forgery (SSRF) vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Server Side Request Forgery.This issue affects Coming Soon Page, Under Construction & Maintenance Mode by SeedProd: from n/a through <= 6.19.8.
Stored Cross-Site Scripting (XSS) in Magic Conversation For Gravity Forms plugin allows authenticated attackers with contributor-level access to inject arbitrary JavaScript via unsanitized shortcode attributes, executing malicious scripts in pages viewed by any visitor. The vulnerability affects all versions up to and including 3.0.97 and requires no user interaction from the victim. With an EPSS score context of 6.4 CVSS and confirmed patch availability, this represents a moderate-to-significant risk to WordPress sites with untrusted contributor accounts.
Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress versions up to 8.8.3 allow authenticated attackers with Subscriber-level access to modify, reschedule, or delete other users' scheduled social media posts through authorization bypass in AJAX handlers. The vulnerability stems from insufficient validation of user-controlled 'b2s_id' parameters before performing UPDATE and DELETE operations, enabling privilege escalation within multi-user WordPress environments. No public exploit code or active exploitation has been reported, but the low CVSS complexity and minimal authentication barrier (Subscriber role) make this a practical attack vector in shared hosting scenarios.
Insecure Direct Object Reference (IDOR) in Awesome Support WordPress plugin up to version 6.3.7 allows authenticated subscribers and above to access sensitive information from all support tickets by manipulating the ticket_id parameter in the wpas_get_ticket_replies_ajax() function. The vulnerability fails to verify user permissions before returning ticket data, enabling unauthorized disclosure of potentially sensitive helpdesk information across the entire system. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting in Element Pack Addons for Elementor plugin versions up to 8.4.2 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via malicious SVG files through the SVG Image Widget. The vulnerability exists in the render_svg() function, which fetches remote SVG content and echoes it directly to pages without proper sanitization, enabling persistent XSS attacks affecting all users who view pages containing the compromised widget. No public exploit code or active exploitation has been identified at the time of analysis.
Stored Cross-Site Scripting in AM LottiePlayer WordPress plugin versions up to 3.6.0 allows authenticated attackers with Author-level privileges or higher to inject malicious scripts via specially crafted SVG file uploads, which execute in the browsers of all users viewing the affected pages. The vulnerability stems from insufficient input sanitization during SVG processing and lack of proper output escaping, enabling persistent payload delivery to website visitors without requiring any user interaction beyond normal page access.
SQL injection in the Attendance Manager WordPress plugin (versions up to 0.6.2) allows authenticated attackers with Subscriber-level access to execute arbitrary SQL queries via the 'attmgr_off' parameter, enabling unauthorized extraction of sensitive database information. The vulnerability requires user authentication but can be exploited without further user interaction, with a CVSS score of 5.4 indicating moderate risk. No public exploit code or confirmed active exploitation has been identified at the time of analysis.
Cross-Site Request Forgery (CSRF) in the Quran Translations WordPress plugin versions up to 1.7 allows unauthenticated attackers to modify plugin settings by tricking site administrators into clicking a malicious link. The vulnerability stems from missing nonce validation in the quran_playlist_options() function, which processes POST requests to update options like PDF, RSS, podcast, and media player display settings without cryptographic request verification. No public exploit code or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting (XSS) in Whole Enquiry Cart for WooCommerce plugin allows authenticated administrators to inject arbitrary JavaScript via the 'woowhole_success_msg' parameter, affecting all versions up to 1.2.1. The injected scripts execute for all users viewing affected pages, but exploitation is restricted to multi-site WordPress installations or sites with unfiltered_html disabled, and requires administrator-level privileges. No public exploit code or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting in Wavr WordPress plugin up to version 0.2.6 allows authenticated contributors and above to inject arbitrary JavaScript via insufficiently sanitized shortcode attributes, with malicious scripts executing for all users who view affected pages. CVSS 6.4 reflects moderate severity with network-accessible attack vector and cross-site impact; no public exploit code or active exploitation confirmed at time of analysis.
Stored Cross-Site Scripting in Columns by BestWebSoft WordPress plugin (versions up to 1.0.3) allows authenticated contributors and above to inject arbitrary JavaScript via the 'id' shortcode attribute of [print_clmns], which is embedded unsanitized into HTML id attributes and inline CSS. The vulnerability requires at least one column to exist in the plugin database but affects any user viewing a page containing the injected shortcode, with a CVSS score of 6.4 reflecting moderate impact across confidentiality and integrity. No public exploit code or active exploitation has been identified at time of analysis.
Unauthenticated attackers can bypass authorization in Masteriyo LMS plugin versions up to 2.1.7 by sending forged Stripe webhook events to mark arbitrary orders as completed without payment, granting unauthorized access to paid course content. The vulnerability stems from insufficient webhook signature verification in the handle_webhook() function, which processes requests with an empty default webhook_secret and only validates signatures if both the secret is configured and the HTTP_STRIPE_SIGNATURE header is present. No public exploit code or active exploitation has been identified at time of analysis, though the attack requires only network access and no authentication or user interaction.
PZ Frontend Manager plugin for WordPress versions up to 1.0.6 allows authenticated attackers with Subscriber-level access to delete arbitrary WordPress users, including administrators, due to missing authorization checks in the pzfm_user_request_action_callback() AJAX function. The vulnerable function lacks both capability verification and nonce validation when processing user deletion requests, enabling privilege escalation and account takeover attacks. CVSS score of 5.3 reflects the integrity impact; however, the true risk is elevated by the low privilege requirement (unauthenticated attackers can exploit this if they register a free Subscriber account) and the critical business impact of administrative account deletion.
Stored Cross-Site Scripting in WowPress plugin for WordPress (all versions up to 1.0.0) allows authenticated attackers with contributor-level access and above to inject arbitrary JavaScript through insufficiently sanitized shortcode attributes, enabling malicious script execution in pages viewed by other users. CVSS 6.4 reflects moderate severity with network-accessible attack vector but requires authenticated access; no public exploit code or active exploitation confirmed at time of analysis.
Arbitrary file upload in Gerador de Certificados - DevApps plugin for WordPress (all versions ≤1.3.6) enables authenticated administrators to upload files without type validation, creating remote code execution opportunities. The vulnerability stems from missing file type validation in the moveUploadedFile() function. CVSS 7.2 (High) reflects network-accessible attack requiring high privileges; EPSS data not provided, no public exploit identified at time of analysis, not listed in CISA KEV.
Stored Cross-Site Scripting in Pinterest Site Verification Plugin Using Meta Tag for WordPress up to version 1.8 allows authenticated attackers with subscriber-level access to inject arbitrary JavaScript via the 'post_var' parameter due to insufficient input sanitization and output escaping. The vulnerability has a CVSS score of 6.4 with cross-site scope, enabling persistent script injection that executes in the browsers of any user visiting affected pages. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stored cross-site scripting in the Inquiry Form to Posts or Pages WordPress plugin up to version 1.0 allows authenticated administrators to inject arbitrary JavaScript via the 'Form Header' field, executing when users access the plugin settings page or view pages containing the [inquiry_form] shortcode. The vulnerability stems from insufficient input sanitization during option storage and missing output escaping in two rendering locations. CVSS 4.4 reflects the high privilege requirement (administrator-only access) and limited impact, though the stored nature and cross-site scope elevate concern for sites with multiple administrators or role delegation.
Remote code execution in DSGVO Google Web Fonts GDPR WordPress plugin (all versions ≤1.1) allows unauthenticated attackers to upload PHP webshells via arbitrary file upload. The DSGVOGWPdownloadGoogleFonts() function, exposed through wp_ajax_nopriv_ hooks, accepts user-supplied URLs without file type validation and writes content to publicly accessible directories. Exploitation requires the target site to use specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely). CVSS 9.8 Critical reflects network-accessible, unauthenticated attack vector with full system compromise potential. No public exploit identified at time of analysis, though the vulnerability class (CWE-434 unrestricted file upload) is well-understood and commonly weaponized.
WP Blockade WordPress plugin versions up to 0.9.14 allows authenticated users with Subscriber-level access or higher to execute arbitrary WordPress shortcodes due to missing authorization checks and nonce verification in the render_shortcode_preview() function. An attacker can supply malicious shortcodes via the 'wp-blockade-shortcode-render' admin_post action to achieve information disclosure, privilege escalation, or arbitrary actions depending on registered shortcodes. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting in Sports Club Management WordPress plugin versions up to 1.12.9 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into shortcode attributes, which executes when other users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the `scm_member_data` shortcode's 'before' and 'after' parameters, requiring only basic WordPress login privileges but affecting all site visitors who access injected content. No public exploit code or active exploitation has been identified at this time.
Riaxe Product Customizer plugin for WordPress versions up to 2.4 exposes sensitive WooCommerce customer and order data through an unauthenticated REST API endpoint due to a missing permission callback. Attackers can query the '/wp-json/InkXEProductDesignerLite/orders' endpoint to retrieve customer names, order IDs, totals, dates, and statuses without authentication. No public exploit code or active exploitation has been confirmed at time of analysis.
Improper access control in the ActivityPub WordPress plugin before 8.0.2 exposes draft, scheduled, and pending posts to unauthenticated remote users, resulting in confidentiality breach. This information disclosure vulnerability (CVSS 7.5) allows network-based attackers to access unpublished content without authentication or user interaction. Publicly available exploit code exists, though no confirmed active exploitation (not in CISA KEV). EPSS score of 0.02% (6th percentile) suggests low current exploitation probability despite POC availability, but SSVC framework marks it as automatable with partial technical impact.
Stored Cross-Site Scripting in The Plus Addons for Elementor plugin for WordPress (all versions up to 6.4.9) allows authenticated attackers with contributor-level access and above to inject arbitrary JavaScript into pages via the Progress Bar shortcode due to insufficient input sanitization and output escaping. When other users access affected pages, the injected scripts execute in their browsers, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting in Strong Testimonials WordPress plugin up to version 3.2.21 allows authenticated contributors and above to inject arbitrary JavaScript via the testimonial_view shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting in Investi WordPress plugin versions up to 1.0.26 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript through the 'maximum-num-years' attribute of the 'investi-announcements-accordion' shortcode. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent XSS payloads that execute when users access affected pages. No public exploit code or active exploitation has been confirmed at this time.
Unauthenticated attackers can modify LTL Freight Quotes - R+L Carriers Edition plugin subscription settings via a webhook handler with missing authorization controls in all versions up to 3.3.13. The vulnerability allows downgrading paid subscriptions to trial plans, changing store type, and manipulating expiration dates, effectively disabling premium features like Dropship and Hazardous Material handling. CVSS 5.3 reflects moderate integrity impact with no authentication required and network-accessible attack surface.
Authenticated attackers with Subscriber-level access can extract MainWP Child Reports activity logs including action summaries, user information, IP addresses, and contextual data from WordPress sites running the MainWP Child Reports plugin up to version 2.2.6 by exploiting a missing authorization check in the WordPress Heartbeat API handler. The vulnerability (CVSS 5.3) affects information disclosure only and requires network access but no user interaction; no public exploit code or active exploitation has been confirmed at the time of analysis.
Stored Cross-Site Scripting in LatePoint Calendar Booking Plugin for WordPress up to version 5.3.0 allows authenticated contributors and above to inject arbitrary JavaScript via the 'button_caption' parameter in the [latepoint_resources] shortcode when 'items' is set to 'bundles'. The injected scripts execute for all users viewing the affected page. No public exploit code or active exploitation has been identified, though the vulnerability requires only contributor-level access and automatic exploitation is feasible.
Stored Cross-Site Scripting in Prime Slider - Addons for Elementor plugin allows authenticated users with Author-level access to inject arbitrary JavaScript through the 'follow_us_text' setting in the Mount widget. The vulnerability exists in all versions up to 4.1.10 due to missing output escaping in the render_social_link() function, enabling attackers to execute malicious scripts whenever pages containing the injected widget are viewed. No public exploit code or active exploitation has been confirmed at this time.
Stored Cross-Site Scripting in TableOn - WordPress Posts Table Filterable plugin versions up to 1.0.4.4 allows authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript via unescaped shortcode attributes ('class', 'help_link', 'popup_title', 'help_title') in the 'tableon_button' shortcode. The vulnerability results from the do_shortcode_button() function extracting attributes without sanitization and the TABLEON_HELPER::draw_html_item() function concatenating these values directly into HTML output without escaping, enabling malicious scripts to execute in the browsers of users viewing affected pages. No public exploit code or active exploitation has been reported at this time.
Arbitrary user metadata modification in Users Manager - PN plugin for WordPress (versions ≤1.1.15) allows unaneticated remote attackers to escalate privileges and hijack accounts. The vulnerability stems from flawed authorization logic in userspn_ajax_nopriv_server() that fails to verify authentication when user_id is supplied, combined with publicly exposed nonce values. Attackers can modify critical user metadata including userspn_secret_token for any WordPress user. CVSS 9.8 (Critical). EPSS data not available. No public exploit identified at time of analysis, but exploitation requires only HTTP requests with predictable parameters.
Stored Cross-Site Scripting in LearnPress WordPress LMS Plugin up to version 4.3.3 allows authenticated contributors to inject malicious scripts via the 'skin' attribute of the learn_press_courses shortcode, which lacks proper output escaping. The injected scripts execute whenever any user visits a page containing the malicious shortcode, affecting all sites using vulnerable versions. No evidence of active exploitation exists at time of analysis.
Stored cross-site scripting in Blubrry PowerPress plugin versions up to 11.15.15 allows authenticated contributors and above to inject arbitrary scripts via the 'powerpress' and 'podcast' shortcodes, executing malicious code whenever users access affected pages. The vulnerability stems from insufficient input sanitization and output escaping in shortcode processing. EPSS score of 6.4 reflects moderate risk; exploitation requires contributor-level WordPress access but no public exploit code has been identified at the time of analysis.
LightPress Lightbox plugin for WordPress allows authenticated attackers with Contributor-level access and above to inject arbitrary JavaScript via the unescaped `group` attribute in the `[gallery]` shortcode, resulting in stored cross-site scripting that executes for all users viewing affected pages. The vulnerability affects all versions up to 2.3.4 and has been addressed in version 2.3.5.
Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely qubely allows Stored XSS.This issue affects Qubely: from n/a through <= 1.8.14.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for Elementor addons-for-elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through <= 9.0.
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Portfolio grandportfolio allows Cross Site Request Forgery.This issue affects Grand Portfolio: from n/a through <= 3.3.
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Blog grandblog allows Cross Site Request Forgery.This issue affects Grand Blog: from n/a through <= 3.1.
Server-Side Request Forgery (SSRF) vulnerability in Getty Images Getty Images getty-images allows Server Side Request Forgery.This issue affects Getty Images: from n/a through <= 4.1.0.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through <= 1.3.0.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in kutethemes Armania armania allows Code Injection.This issue affects Armania: from n/a through <= 1.4.8.
Missing Authorization vulnerability in kutethemes Biolife biolife allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Biolife: from n/a through <= 3.2.3.
Missing Authorization vulnerability in acmethemes Education Base education-base allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Education Base: from n/a through <= 3.0.8.
Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Appointment appointment allows Upload a Web Shell to a Web Server.This issue affects Appointment: from n/a through <= 3.5.5.
Cross-Site Request Forgery (CSRF) vulnerability in themearile NewsExo newsexo allows Cross Site Request Forgery.This issue affects NewsExo: from n/a through <= 7.1.
Authorization Bypass Through User-Controlled Key vulnerability in dFactory Download Attachments download-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Attachments: from n/a through <= 1.4.0.
Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player-7-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JW Player for WordPress: from n/a through <= 2.3.6.
Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KuteShop: from n/a through <= 4.2.9.
Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpXmas-Snow: from n/a through <= 1.1.
Missing Authorization vulnerability in iPOSPays iPOSpays Gateways WC ipospays-gateways-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iPOSpays Gateways WC: from n/a through <= 1.3.7.
Missing Authorization vulnerability in Foysal Imran BizReview bizreview allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BizReview: from n/a through <= 1.5.13.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookTable Bookstore mybooktable allows Stored XSS.This issue affects MyBookTable Bookstore: from n/a through <= 3.6.0.
Missing Authorization vulnerability in Rustaurius Order Tracking order-tracking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Tracking: from n/a through <= 3.4.3.
Missing Authorization vulnerability in nmerii NM Gift Registry and Wishlist Lite nm-gift-registry-and-wishlist-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NM Gift Registry and Wishlist Lite: from n/a through <= 5.13.
Insertion of Sensitive Information Into Sent Data vulnerability in Ateeq Rafeeq RepairBuddy computer-repair-shop allows Retrieve Embedded Sensitive Data.This issue affects RepairBuddy: from n/a through <= 4.1132.
Missing Authorization vulnerability in Arraytics Booktics booktics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booktics: from n/a through <= 1.0.16.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Retrieve Embedded Sensitive Data.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through < 5.6.5.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themefic Instantio instantio allows Retrieve Embedded Sensitive Data.This issue affects Instantio: from n/a through <= 3.3.30.
Insertion of Sensitive Information Into Sent Data vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Retrieve Embedded Sensitive Data.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Designinvento DirectoryPress directorypress allows Retrieve Embedded Sensitive Data.This issue affects DirectoryPress: from n/a through <= 3.6.26.
Insertion of Sensitive Information Into Sent Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Retrieve Embedded Sensitive Data.This issue affects Sunshine Photo Cart: from n/a through < 3.6.2.
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.10.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themeStek LabtechCO labtechco allows PHP Local File Inclusion.This issue affects LabtechCO: from n/a through <= 8.3.
Insertion of Sensitive Information Into Sent Data vulnerability in Doofinder Doofinder for WooCommerce doofinder-for-woocommerce allows Retrieve Embedded Sensitive Data.This issue affects Doofinder for WooCommerce: from n/a through <= 2.10.13.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Mikado Core mikado-core allows PHP Local File Inclusion.This issue affects Mikado Core: from n/a through <= 1.6.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Chill RSVP and Event Management rsvp allows Retrieve Embedded Sensitive Data.This issue affects RSVP and Event Management: from n/a through <= 2.7.16.
Missing Authorization vulnerability in fullworks Display Eventbrite Events widget-for-eventbrite-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Display Eventbrite Events: from n/a through <= 6.5.6.
Authorization Bypass Through User-Controlled Key vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpStream: from n/a through < 4.11.2.
Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content nelio-content allows Server Side Request Forgery.This issue affects Nelio Content: from n/a through <= 4.3.1.
Missing Authorization vulnerability in weDevs weDocs wedocs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects weDocs: from n/a through <= 2.1.18.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Retrieve Embedded Sensitive Data.This issue affects Nexter Blocks: from n/a through <= 4.7.0.
Authorization Bypass Through User-Controlled Key vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Photo Gallery Final Tiles Grid: from n/a through <= 3.6.11.
Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.5.10.
DOM-based cross-site scripting (XSS) in Advanced Coupons for WooCommerce Coupons plugin (versions up to 4.7.1.1) allows authenticated attackers with low privileges to inject malicious scripts that execute in users' browsers with the same privileges as the site context, affecting confidentiality, integrity, and availability of the WordPress installation. The vulnerability has an EPSS score of 0.03% (8th percentile), indicating low real-world exploitation probability despite the moderate CVSS 6.5 rating.
Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine (Pro): from n/a through < 3.4.2.
Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a through <= 0.1.2.5.
Missing authorization in RealMag777 FOX woocommerce-currency-switcher plugin for WordPress allows unauthenticated remote attackers to bypass access controls and gain read access to sensitive data through incorrectly configured security levels. The vulnerability affects FOX versions up to and including 1.4.5, with a CVSS score of 5.3 and extremely low exploitation probability (EPSS 0.02%), suggesting limited real-world attack incentive despite the missing authorization flaw.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesflat themesflat-addons-for-elementor themesflat-addons-for-elementor allows Stored XSS.This issue affects themesflat-addons-for-elementor: from n/a through <= 2.3.2.
Blind SQL injection in FOX WooCommerce Currency Switcher plugin (versions ≤1.4.5) allows authenticated high-privilege users to extract database contents via crafted SQL commands. Attacker requires high-privilege access (PR:H) but can breach scope boundaries (S:C), achieving high confidentiality impact and limited availability disruption. No public exploit identified at time of analysis. Affects WordPress installations using the vulnerable plugin for multi-currency e-commerce functionality.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YayMail yaymail allows Blind SQL Injection.This issue affects YayMail: from n/a through <= 4.3.3.
Missing Authorization vulnerability in SureCart SureCart surecart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SureCart: from n/a through <= 4.0.2.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Chill Download Monitor download-monitor allows Blind SQL Injection.This issue affects Download Monitor: from n/a through <= 5.1.8.
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in John Darrel Hide My WP Ghost hide-my-wp allows Phishing.This issue affects Hide My WP Ghost: from n/a through < 7.0.00.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidekazu Ishikawa VK All in One Expansion Unit vk-all-in-one-expansion-unit allows Stored XSS.This issue affects VK All in One Expansion Unit: from n/a through <= 9.113.3.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PublishPress Post Expirator post-expirator allows DOM-Based XSS.This issue affects Post Expirator: from n/a through <= 4.9.4.
Missing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Feedback: from n/a through <= 1.10.1.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through <= 1.10.1.
Insertion of Sensitive Information Into Sent Data vulnerability in Pär Thernström Simple History simple-history allows Retrieve Embedded Sensitive Data.This issue affects Simple History: from n/a through <= 5.24.0.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Broken Link Checker broken-link-checker allows Blind SQL Injection.This issue affects Broken Link Checker: from n/a through <= 2.4.7.
Server-Side Request Forgery (SSRF) vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Server Side Request Forgery.This issue affects Coming Soon Page, Under Construction & Maintenance Mode by SeedProd: from n/a through <= 6.19.8.
Stored Cross-Site Scripting (XSS) in Magic Conversation For Gravity Forms plugin allows authenticated attackers with contributor-level access to inject arbitrary JavaScript via unsanitized shortcode attributes, executing malicious scripts in pages viewed by any visitor. The vulnerability affects all versions up to and including 3.0.97 and requires no user interaction from the victim. With an EPSS score context of 6.4 CVSS and confirmed patch availability, this represents a moderate-to-significant risk to WordPress sites with untrusted contributor accounts.
Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress versions up to 8.8.3 allow authenticated attackers with Subscriber-level access to modify, reschedule, or delete other users' scheduled social media posts through authorization bypass in AJAX handlers. The vulnerability stems from insufficient validation of user-controlled 'b2s_id' parameters before performing UPDATE and DELETE operations, enabling privilege escalation within multi-user WordPress environments. No public exploit code or active exploitation has been reported, but the low CVSS complexity and minimal authentication barrier (Subscriber role) make this a practical attack vector in shared hosting scenarios.
Insecure Direct Object Reference (IDOR) in Awesome Support WordPress plugin up to version 6.3.7 allows authenticated subscribers and above to access sensitive information from all support tickets by manipulating the ticket_id parameter in the wpas_get_ticket_replies_ajax() function. The vulnerability fails to verify user permissions before returning ticket data, enabling unauthorized disclosure of potentially sensitive helpdesk information across the entire system. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting in Element Pack Addons for Elementor plugin versions up to 8.4.2 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via malicious SVG files through the SVG Image Widget. The vulnerability exists in the render_svg() function, which fetches remote SVG content and echoes it directly to pages without proper sanitization, enabling persistent XSS attacks affecting all users who view pages containing the compromised widget. No public exploit code or active exploitation has been identified at the time of analysis.
Stored Cross-Site Scripting in AM LottiePlayer WordPress plugin versions up to 3.6.0 allows authenticated attackers with Author-level privileges or higher to inject malicious scripts via specially crafted SVG file uploads, which execute in the browsers of all users viewing the affected pages. The vulnerability stems from insufficient input sanitization during SVG processing and lack of proper output escaping, enabling persistent payload delivery to website visitors without requiring any user interaction beyond normal page access.
SQL injection in the Attendance Manager WordPress plugin (versions up to 0.6.2) allows authenticated attackers with Subscriber-level access to execute arbitrary SQL queries via the 'attmgr_off' parameter, enabling unauthorized extraction of sensitive database information. The vulnerability requires user authentication but can be exploited without further user interaction, with a CVSS score of 5.4 indicating moderate risk. No public exploit code or confirmed active exploitation has been identified at the time of analysis.
Cross-Site Request Forgery (CSRF) in the Quran Translations WordPress plugin versions up to 1.7 allows unauthenticated attackers to modify plugin settings by tricking site administrators into clicking a malicious link. The vulnerability stems from missing nonce validation in the quran_playlist_options() function, which processes POST requests to update options like PDF, RSS, podcast, and media player display settings without cryptographic request verification. No public exploit code or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting (XSS) in Whole Enquiry Cart for WooCommerce plugin allows authenticated administrators to inject arbitrary JavaScript via the 'woowhole_success_msg' parameter, affecting all versions up to 1.2.1. The injected scripts execute for all users viewing affected pages, but exploitation is restricted to multi-site WordPress installations or sites with unfiltered_html disabled, and requires administrator-level privileges. No public exploit code or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting in Wavr WordPress plugin up to version 0.2.6 allows authenticated contributors and above to inject arbitrary JavaScript via insufficiently sanitized shortcode attributes, with malicious scripts executing for all users who view affected pages. CVSS 6.4 reflects moderate severity with network-accessible attack vector and cross-site impact; no public exploit code or active exploitation confirmed at time of analysis.
Stored Cross-Site Scripting in Columns by BestWebSoft WordPress plugin (versions up to 1.0.3) allows authenticated contributors and above to inject arbitrary JavaScript via the 'id' shortcode attribute of [print_clmns], which is embedded unsanitized into HTML id attributes and inline CSS. The vulnerability requires at least one column to exist in the plugin database but affects any user viewing a page containing the injected shortcode, with a CVSS score of 6.4 reflecting moderate impact across confidentiality and integrity. No public exploit code or active exploitation has been identified at time of analysis.
Unauthenticated attackers can bypass authorization in Masteriyo LMS plugin versions up to 2.1.7 by sending forged Stripe webhook events to mark arbitrary orders as completed without payment, granting unauthorized access to paid course content. The vulnerability stems from insufficient webhook signature verification in the handle_webhook() function, which processes requests with an empty default webhook_secret and only validates signatures if both the secret is configured and the HTTP_STRIPE_SIGNATURE header is present. No public exploit code or active exploitation has been identified at time of analysis, though the attack requires only network access and no authentication or user interaction.
PZ Frontend Manager plugin for WordPress versions up to 1.0.6 allows authenticated attackers with Subscriber-level access to delete arbitrary WordPress users, including administrators, due to missing authorization checks in the pzfm_user_request_action_callback() AJAX function. The vulnerable function lacks both capability verification and nonce validation when processing user deletion requests, enabling privilege escalation and account takeover attacks. CVSS score of 5.3 reflects the integrity impact; however, the true risk is elevated by the low privilege requirement (unauthenticated attackers can exploit this if they register a free Subscriber account) and the critical business impact of administrative account deletion.
Stored Cross-Site Scripting in WowPress plugin for WordPress (all versions up to 1.0.0) allows authenticated attackers with contributor-level access and above to inject arbitrary JavaScript through insufficiently sanitized shortcode attributes, enabling malicious script execution in pages viewed by other users. CVSS 6.4 reflects moderate severity with network-accessible attack vector but requires authenticated access; no public exploit code or active exploitation confirmed at time of analysis.
Arbitrary file upload in Gerador de Certificados - DevApps plugin for WordPress (all versions ≤1.3.6) enables authenticated administrators to upload files without type validation, creating remote code execution opportunities. The vulnerability stems from missing file type validation in the moveUploadedFile() function. CVSS 7.2 (High) reflects network-accessible attack requiring high privileges; EPSS data not provided, no public exploit identified at time of analysis, not listed in CISA KEV.
Stored Cross-Site Scripting in Pinterest Site Verification Plugin Using Meta Tag for WordPress up to version 1.8 allows authenticated attackers with subscriber-level access to inject arbitrary JavaScript via the 'post_var' parameter due to insufficient input sanitization and output escaping. The vulnerability has a CVSS score of 6.4 with cross-site scope, enabling persistent script injection that executes in the browsers of any user visiting affected pages. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stored cross-site scripting in the Inquiry Form to Posts or Pages WordPress plugin up to version 1.0 allows authenticated administrators to inject arbitrary JavaScript via the 'Form Header' field, executing when users access the plugin settings page or view pages containing the [inquiry_form] shortcode. The vulnerability stems from insufficient input sanitization during option storage and missing output escaping in two rendering locations. CVSS 4.4 reflects the high privilege requirement (administrator-only access) and limited impact, though the stored nature and cross-site scope elevate concern for sites with multiple administrators or role delegation.
Remote code execution in DSGVO Google Web Fonts GDPR WordPress plugin (all versions ≤1.1) allows unauthenticated attackers to upload PHP webshells via arbitrary file upload. The DSGVOGWPdownloadGoogleFonts() function, exposed through wp_ajax_nopriv_ hooks, accepts user-supplied URLs without file type validation and writes content to publicly accessible directories. Exploitation requires the target site to use specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely). CVSS 9.8 Critical reflects network-accessible, unauthenticated attack vector with full system compromise potential. No public exploit identified at time of analysis, though the vulnerability class (CWE-434 unrestricted file upload) is well-understood and commonly weaponized.
WP Blockade WordPress plugin versions up to 0.9.14 allows authenticated users with Subscriber-level access or higher to execute arbitrary WordPress shortcodes due to missing authorization checks and nonce verification in the render_shortcode_preview() function. An attacker can supply malicious shortcodes via the 'wp-blockade-shortcode-render' admin_post action to achieve information disclosure, privilege escalation, or arbitrary actions depending on registered shortcodes. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting in Sports Club Management WordPress plugin versions up to 1.12.9 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into shortcode attributes, which executes when other users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the `scm_member_data` shortcode's 'before' and 'after' parameters, requiring only basic WordPress login privileges but affecting all site visitors who access injected content. No public exploit code or active exploitation has been identified at this time.
Riaxe Product Customizer plugin for WordPress versions up to 2.4 exposes sensitive WooCommerce customer and order data through an unauthenticated REST API endpoint due to a missing permission callback. Attackers can query the '/wp-json/InkXEProductDesignerLite/orders' endpoint to retrieve customer names, order IDs, totals, dates, and statuses without authentication. No public exploit code or active exploitation has been confirmed at time of analysis.
Improper access control in the ActivityPub WordPress plugin before 8.0.2 exposes draft, scheduled, and pending posts to unauthenticated remote users, resulting in confidentiality breach. This information disclosure vulnerability (CVSS 7.5) allows network-based attackers to access unpublished content without authentication or user interaction. Publicly available exploit code exists, though no confirmed active exploitation (not in CISA KEV). EPSS score of 0.02% (6th percentile) suggests low current exploitation probability despite POC availability, but SSVC framework marks it as automatable with partial technical impact.
Stored Cross-Site Scripting in The Plus Addons for Elementor plugin for WordPress (all versions up to 6.4.9) allows authenticated attackers with contributor-level access and above to inject arbitrary JavaScript into pages via the Progress Bar shortcode due to insufficient input sanitization and output escaping. When other users access affected pages, the injected scripts execute in their browsers, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting in Strong Testimonials WordPress plugin up to version 3.2.21 allows authenticated contributors and above to inject arbitrary JavaScript via the testimonial_view shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting in Investi WordPress plugin versions up to 1.0.26 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript through the 'maximum-num-years' attribute of the 'investi-announcements-accordion' shortcode. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent XSS payloads that execute when users access affected pages. No public exploit code or active exploitation has been confirmed at this time.
Unauthenticated attackers can modify LTL Freight Quotes - R+L Carriers Edition plugin subscription settings via a webhook handler with missing authorization controls in all versions up to 3.3.13. The vulnerability allows downgrading paid subscriptions to trial plans, changing store type, and manipulating expiration dates, effectively disabling premium features like Dropship and Hazardous Material handling. CVSS 5.3 reflects moderate integrity impact with no authentication required and network-accessible attack surface.
Authenticated attackers with Subscriber-level access can extract MainWP Child Reports activity logs including action summaries, user information, IP addresses, and contextual data from WordPress sites running the MainWP Child Reports plugin up to version 2.2.6 by exploiting a missing authorization check in the WordPress Heartbeat API handler. The vulnerability (CVSS 5.3) affects information disclosure only and requires network access but no user interaction; no public exploit code or active exploitation has been confirmed at the time of analysis.
Stored Cross-Site Scripting in LatePoint Calendar Booking Plugin for WordPress up to version 5.3.0 allows authenticated contributors and above to inject arbitrary JavaScript via the 'button_caption' parameter in the [latepoint_resources] shortcode when 'items' is set to 'bundles'. The injected scripts execute for all users viewing the affected page. No public exploit code or active exploitation has been identified, though the vulnerability requires only contributor-level access and automatic exploitation is feasible.
Stored Cross-Site Scripting in Prime Slider - Addons for Elementor plugin allows authenticated users with Author-level access to inject arbitrary JavaScript through the 'follow_us_text' setting in the Mount widget. The vulnerability exists in all versions up to 4.1.10 due to missing output escaping in the render_social_link() function, enabling attackers to execute malicious scripts whenever pages containing the injected widget are viewed. No public exploit code or active exploitation has been confirmed at this time.
Stored Cross-Site Scripting in TableOn - WordPress Posts Table Filterable plugin versions up to 1.0.4.4 allows authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript via unescaped shortcode attributes ('class', 'help_link', 'popup_title', 'help_title') in the 'tableon_button' shortcode. The vulnerability results from the do_shortcode_button() function extracting attributes without sanitization and the TABLEON_HELPER::draw_html_item() function concatenating these values directly into HTML output without escaping, enabling malicious scripts to execute in the browsers of users viewing affected pages. No public exploit code or active exploitation has been reported at this time.
Arbitrary user metadata modification in Users Manager - PN plugin for WordPress (versions ≤1.1.15) allows unaneticated remote attackers to escalate privileges and hijack accounts. The vulnerability stems from flawed authorization logic in userspn_ajax_nopriv_server() that fails to verify authentication when user_id is supplied, combined with publicly exposed nonce values. Attackers can modify critical user metadata including userspn_secret_token for any WordPress user. CVSS 9.8 (Critical). EPSS data not available. No public exploit identified at time of analysis, but exploitation requires only HTTP requests with predictable parameters.
Stored Cross-Site Scripting in LearnPress WordPress LMS Plugin up to version 4.3.3 allows authenticated contributors to inject malicious scripts via the 'skin' attribute of the learn_press_courses shortcode, which lacks proper output escaping. The injected scripts execute whenever any user visits a page containing the malicious shortcode, affecting all sites using vulnerable versions. No evidence of active exploitation exists at time of analysis.
Stored cross-site scripting in Blubrry PowerPress plugin versions up to 11.15.15 allows authenticated contributors and above to inject arbitrary scripts via the 'powerpress' and 'podcast' shortcodes, executing malicious code whenever users access affected pages. The vulnerability stems from insufficient input sanitization and output escaping in shortcode processing. EPSS score of 6.4 reflects moderate risk; exploitation requires contributor-level WordPress access but no public exploit code has been identified at the time of analysis.
LightPress Lightbox plugin for WordPress allows authenticated attackers with Contributor-level access and above to inject arbitrary JavaScript via the unescaped `group` attribute in the `[gallery]` shortcode, resulting in stored cross-site scripting that executes for all users viewing affected pages. The vulnerability affects all versions up to 2.3.4 and has been addressed in version 2.3.5.