WordPress
Monthly
Stored XSS in the WordPress Custom Logo plugin through version 2.2 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users. This affects multi-site WordPress installations and single-site setups where unfiltered_html is disabled, requiring high-privilege attacker access but enabling persistent script injection across affected pages.
Stored XSS in WP Social Meta plugin through 1.0.1 allows authenticated administrators to inject malicious scripts into WordPress admin settings that execute for all users viewing affected pages, impacting multi-site installations and configurations with disabled unfiltered_html. The vulnerability requires high administrative privileges and complex exploitation conditions, making practical attacks unlikely despite network accessibility.
The TP2WP Importer plugin for WordPress contains a stored cross-site scripting vulnerability in the attachment importer settings that allows authenticated administrators to inject malicious scripts through the 'Watched domains' textarea due to inadequate input sanitization and output escaping. When other users access the affected settings page, the injected scripts execute in their browsers, potentially allowing administrators to perform unauthorized actions or steal sensitive data. The vulnerability affects all versions up to and including 1.1 with no patch currently available.
Livemesh Addons for Beaver Builder (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Arbitrary command execution in WPGraphQL's GitHub Actions workflow allows attackers with pull request creation privileges to inject shell commands through unvalidated pull request body content, potentially compromising the build environment and repository integrity. The vulnerability affects WPGraphQL versions prior to 2.9.1 and requires low privileges and user interaction to exploit. No patch is currently available for affected deployments.
Unauthenticated attackers can exploit a path traversal vulnerability in WP Responsive Images plugin for WordPress (all versions up to 1.0) through the 'src' parameter to read arbitrary files from the server. This allows unauthorized access to sensitive information stored on affected WordPress installations. No patch is currently available.
The Events Calendar plugin for WordPress through version 6.15.16 fails to properly validate user capabilities in REST API endpoints, allowing authenticated contributors and higher-privileged users to modify or delete events, organizers, and venues without proper authorization. This capability check bypass affects all installations with the vulnerable plugin version and enables authenticated attackers with lower-level access to cause data integrity issues and service disruption. No patch is currently available for this medium-severity vulnerability.
The Disable Admin Notices - Hide Dashboard Notifications WordPress plugin up to version 1.4.2 lacks proper CSRF protection in its `showPageContent()` function, allowing unauthenticated attackers to inject arbitrary URLs into the blocked redirects list by tricking site administrators into clicking a malicious link. This could enable an attacker to redirect site traffic or manipulate administrator settings without explicit authorization. No patch is currently available for this medium-severity vulnerability.
Secure Copy Content Protection and Content Locking (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Protected post metadata injection in Post Duplicator plugin for WordPress allows authenticated contributors and higher-privileged users to arbitrarily set sensitive meta keys like _wp_page_template on duplicated posts by bypassing WordPress's standard metadata protection mechanisms. The vulnerability exists in versions up to 3.0.8 due to direct database insertion instead of using WordPress's protected metadata validation function. Attackers can exploit this through the customMetaData parameter in the REST API endpoint to manipulate post properties and potentially compromise site functionality.
WP Recipe Maker (WordPress plugin) is affected by authorization bypass through user-controlled key (CVSS 4.3).
Authenticated WordPress users with Author-level or higher privileges can exploit a Server-Side Request Forgery vulnerability in the Responsive Lightbox & Gallery plugin (versions up to 2.7.1) due to improper hostname validation in the image upload function. This allows attackers to send arbitrary web requests from the vulnerable server to internal services, potentially exposing or modifying sensitive information within the network. The vulnerability affects all versions up to 2.7.1 with no patch currently available.
Unauthenticated attackers can execute SQL injection attacks against WordPress sites running Geo Mashup plugin versions up to 1.13.17 by manipulating the 'sort' parameter, allowing unauthorized database access and extraction of sensitive information. The vulnerability stems from inadequate input validation and query preparation in the plugin code. No patch is currently available, leaving affected installations at risk until an update is released.
Remote code execution in Advanced Woo Labels plugin for WordPress through version 2.37 allows authenticated users with Contributor access or higher to execute arbitrary PHP functions and system commands via an unsanitized callback parameter in an AJAX handler. The vulnerability stems from improper use of call_user_func_array() without adequate input validation or capability restrictions. No patch is currently available for this high-severity flaw affecting WordPress environments.
Unauthenticated attackers can forge authentication tokens in the WPGSI: Spreadsheet Integration plugin for WordPress (versions up to 3.8.3) due to missing capability checks and weak token validation that relies only on Base64-encoded, unsigned user data. This allows remote attackers to create, modify, and delete arbitrary WordPress posts and pages without authentication. No patch is currently available.
Stored XSS in Rise Blocks WordPress plugin versions up to 3.7 allows authenticated contributors and above to inject malicious scripts into pages through the logoTag Site Identity block attribute due to inadequate input sanitization. The injected scripts execute in the browsers of all users who access the compromised pages, potentially leading to credential theft, session hijacking, or malware distribution. No patch is currently available.
The Responsive Lightbox & Gallery WordPress plugin before 2.6.1 is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments are enabled and then approved. [CVSS 8.8 HIGH]
Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions.
Critical vulnerability in ElementsKit Elementor Addons WordPress plugin allows unauthenticated access to critical functions. CVSS 10.0 affecting a widely-used WordPress plugin with 1M+ installations.
Unauthenticated attackers can manipulate email routing and redirection in The Plus Addons for Elementor plugin for WordPress versions up to 6.4.7 by tampering with the 'email_data' parameter in an AJAX handler that lacks proper cryptographic verification. This allows attackers to trigger unauthorized email relay and redirect users to attacker-controlled sites without authentication. No patch is currently available for this medium-severity vulnerability.
Conditional CAPTCHA WordPre versions up to 4.0.0 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).
Unauthenticated attackers can delete migrated courses in WordPress sites running LearnPress Export Import versions up to 4.1.0 due to missing capability checks in the data deletion function, provided Tutor LMS is also installed. This allows unauthorized data loss with low complexity exploitation requiring network access. No patch is currently available for this medium-severity vulnerability.
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. [CVSS 6.5 MEDIUM]
Missing authorization controls in the tychesoftwares Print Invoice & Delivery Notes plugin for WooCommerce (versions up to 5.8.0) allow unauthenticated attackers to manipulate access control settings and modify invoice or delivery note data. The vulnerability affects WordPress sites running this plugin and could result in unauthorized data modification. A patch is not currently available.
WP Job Portal versions 2.4.4 and earlier contain an authorization bypass flaw that allows unauthenticated attackers to access sensitive information by exploiting improperly configured access controls. An attacker can remotely exploit this vulnerability without user interaction to gain unauthorized visibility into restricted data. No patch is currently available for this vulnerability.
Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by php remote file inclusion (CVSS 8.1).
Dotstore Woocommerce Category Banner Management banner-management-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).
PersianScript Persian Woocommerce SMS persian-woocommerce-sms is affected by cross-site scripting (xss) (CVSS 7.1).
realvirtualmx RVCFDI para Woocommerce rvcfdi-para-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).
AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify is affected by missing authorization (CVSS 6.5).
vanquish WooCommerce Bulk Product Editor woocommerce-quick-product-editor is affected by missing authorization (CVSS 7.1).
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 7.5 HIGH]
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 8.6 HIGH]
XforWooCommerce Product Filter for WooCommerce prdctfltr contains a security vulnerability (CVSS 7.3).
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 7.7 HIGH]
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 8.6 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Portfolio Builder swp-portfolio allows PHP Local File Inclusion.This issue affects Portfolio Builder: from n/a through <= 1.2.5. [CVSS 8.1 HIGH]
GT3themes SOHO - Photography WordPress Theme soho is affected by cross-site scripting (xss) (CVSS 7.1).
GT3themes Oyster - Photography WordPress Theme oyster is affected by cross-site scripting (xss) (CVSS 7.1).
magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).
Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).
primersoftware Primer MyData for Woocommerce primer-mydata contains a security vulnerability (CVSS 5.3).
Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Reflected XSS.This issue affects Slimstat Analytics: from n/a through <= 5.3.2. [CVSS 7.1 HIGH]
Bas Schuiling FeedWordPress Advanced Filters faf is affected by cross-site scripting (xss) (CVSS 7.1).
Missing Authorization vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ELEX WordPress HelpDesk & Customer Ticketing System: from n/a through <= 3.3.5. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in Saiful Islam Sync Master Sheet – Product Sync with Google Sheet for WooCommerce product-sync-master-sheet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sync Master Sheet – Product Sync with Google Sheet for WooCommerce: from n/a through <= 1.1.3.
WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product is affected by php remote file inclusion (CVSS 6.3).
Unrestricted file upload in Wiguard (wiguard) WordPress theme allows uploading web shells for remote code execution.
Mollie Mollie Payments for WooCommerce mollie-payments-for-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).
Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0. [CVSS 6.5 MEDIUM]
Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in Addonify Addonify - WooCommerce Wishlist addonify-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify - WooCommerce Wishlist: from n/a through <= 2.0.15. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in Addonify Addonify – Compare Products For WooCommerce addonify-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify – Compare Products For WooCommerce: from n/a through <= 1.1.17. [CVSS 6.5 MEDIUM]
soporteblue Plugin BlueX for WooCommerce bluex-for-woocommerce is affected by missing authorization (CVSS 6.3).
vanquish User Extra Fields wp-user-extra-fields is affected by cross-site scripting (xss) (CVSS 7.1).
knitpay UPI QR Code Payment Gateway for WooCommerce upi-qr-code-payment-for-woocommerce is affected by missing authorization (CVSS 6.5).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Wizard Cloak wp-wizard-cloak allows Reflected XSS.This issue affects WP Wizard Cloak: from n/a through <= 1.0.1. [CVSS 7.1 HIGH]
Stored XSS in Master Addons For Elementor plugin (WordPress versions up to 2.1.1) allows authenticated contributors and above to inject malicious scripts into pages through the 'ma_el_bh_table_btn_text' parameter due to insufficient input sanitization. When other users access affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.
The Survey Maker WordPress plugin through version 5.1.7.7 is vulnerable to reflected cross-site scripting (XSS) that requires user interaction to exploit. An attacker can craft a malicious link to inject arbitrary JavaScript into a victim's browser session, potentially allowing credential theft or malicious actions within WordPress. No patch is currently available, leaving affected installations at risk.
The Quiz Maker plugin for WordPress versions up to 6.7.1.7 allows authenticated contributors and higher-privileged users to inject persistent JavaScript through the `vc_quizmaker` shortcode due to inadequate input validation, enabling malicious script execution in pages viewed by other users. The vulnerability requires WPBakery Page Builder to be active and has no available patch. An attacker with contributor access can deface content or steal sensitive information from site visitors.
Authenticated users can modify email configurations in YayMail for WooCommerce through version 4.3.2 due to missing authorization checks on access control settings. An attacker with low-level WordPress user privileges could alter email templates or settings without proper permissions. No patch is currently available for this vulnerability.
Product Table and List Builder for WooCommerce Lite (WordPress plugin) is affected by sql injection (CVSS 7.5).
Unauthenticated attackers can exploit time-based SQL injection in wpForo Forum plugin for WordPress versions up to 2.4.14 through the 'wpfob' parameter to extract sensitive database information. The vulnerability stems from insufficient input sanitization and improper SQL query preparation, allowing attackers to inject arbitrary SQL commands without authentication. No patch is currently available.
The Dealia - Request a Quote WordPress plugin through version 1.0.6 allows authenticated contributors and above to inject malicious scripts into pages via improperly escaped Gutenberg block attributes. An attacker with contributor-level access can embed arbitrary JavaScript that executes when users view the affected pages, potentially compromising user sessions and data. No patch is currently available.
Stored XSS in the Client Testimonial Slider WordPress plugin through version 2.0 allows administrators to inject malicious scripts into the 'Testimonial Heading' setting due to inadequate input sanitization. The injected scripts execute when users view affected pages, impacting multi-site WordPress installations or sites with unfiltered_html disabled. Currently no patch is available.
Simple Membership (WordPress plugin) versions up to 4.7.0 contains a security vulnerability (CVSS 6.5).
Radio by Sonaar versions up to 4.0 is affected by authorization bypass through user-controlled key (CVSS 5.3).
PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce is affected by missing authorization (CVSS 5.3).
villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer is affected by php remote file inclusion (CVSS 7.5).
The WP-CORS WordPress plugin through version 0.2.2 contains an authorization bypass that allows authenticated users to modify content due to improperly configured access controls. An attacker with valid WordPress credentials could exploit this to make unauthorized changes to website data. No patch is currently available for this vulnerability.
crgeary JAMstack Deployments wp-jamstack-deployments is affected by missing authorization (CVSS 4.3).
Improper access control in WP Job Manager through version 2.4.0 permits unauthenticated attackers to access sensitive information by bypassing authorization checks. The vulnerability affects WordPress sites running the vulnerable plugin and could allow unauthorized disclosure of job-related data. No patch is currently available.
The Update URLs WordPress plugin through version 1.4.0 contains an open redirect vulnerability that allows unauthenticated attackers to craft malicious links redirecting users to arbitrary external sites, enabling phishing attacks. The vulnerability requires user interaction to click a crafted link but has no patch currently available. Affected WordPress sites using this plugin should upgrade or disable it immediately.
WP Wand AI Content Generation plugin for WordPress versions up to 1.3.07 contains an authorization bypass that allows authenticated users to modify or disable plugin functionality through improper access control enforcement. An attacker with user-level credentials can exploit this vulnerability to cause service disruption or data integrity issues. No patch is currently available.
WP-Lister Lite for eBay through version 3.8.5 contains a missing authorization vulnerability allowing unauthenticated remote attackers to bypass access controls and gain unauthorized information disclosure. The improper access control configuration enables attackers to exploit the plugin's functionality without proper authentication or permissions. No patch is currently available for affected WordPress installations.
WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite is affected by missing authorization (CVSS 4.3).
DOM-based cross-site scripting in VeronaLabs WP SMS plugin version 7.1 and earlier for WordPress allows authenticated attackers with high privileges to execute arbitrary JavaScript in users' browsers through improper input handling. An attacker could exploit this vulnerability to steal session cookies, perform unauthorized actions on behalf of users, or deface web pages. No patch is currently available for this vulnerability.
Melapress WP Activity Log wp-security-audit-log is affected by cross-site scripting (xss) (CVSS 6.5).
The rtMedia plugin for WordPress versions up to 4.7.8 exposes sensitive system information through an information disclosure vulnerability that allows unauthenticated remote attackers to retrieve embedded data. This vulnerability affects WordPress installations using rtMedia with BuddyPress and bbPress extensions, potentially exposing confidential system details to unauthorized users. No patch is currently available for this medium-severity issue.
Wisernotify team WiserReview Product Reviews for WooCommerce wiser-review is affected by missing authorization (CVSS 4.3).
WP Messiah TOP Table Of Contents top-table-of-contents is affected by missing authorization (CVSS 4.3).
The Alma payment gateway plugin for WooCommerce versions up to 5.16.1 contains an authorization bypass that allows unauthenticated attackers to modify data through improper access control enforcement. WordPress sites using this plugin are at risk of unauthorized changes to payment-related settings or configurations. A patch is not currently available, making immediate mitigation through plugin disabling or version control necessary.
WP Swings Ultimate Gift Cards For WooCommerce woo-gift-cards-lite is affected by missing authorization (CVSS 5.3).
YITHEMES YITH WooCommerce Compare yith-woocommerce-compare is affected by deserialization of untrusted data (CVSS 7.2).
The Dealia - Request a quote WordPress plugin fails to properly validate user permissions on AJAX endpoints, allowing authenticated users with Contributor-level access or higher to reset plugin configuration by exploiting an exposed admin nonce. An attacker with basic edit_posts capability can bypass the capability check and modify critical plugin settings without administrative privileges. The vulnerability affects all versions up to 1.0.6 and currently has no available patch.
Stored cross-site scripting in the WordPress XML-RPC Attacks Blocker plugin up to version 1.0 allows unauthenticated attackers to inject malicious scripts via the X-Forwarded-For HTTP header, which are then executed when administrators access the debug log page. The vulnerability stems from improper handling of untrusted header data without output escaping. No patch is currently available.
Complete data destruction in WordPress via the News Element Elementor Blog Magazine plugin (versions up to 1.0.8) due to insufficient authorization checks on an AJAX function, allowing authenticated users with Subscriber-level privileges to truncate core database tables and delete the uploads directory. The vulnerability requires user authentication but no additional interaction, making it exploitable by any low-privileged WordPress user with no patch currently available.
Stored XSS in WordPress Slidorion plugin through version 1.0.2 allows administrators to inject malicious scripts via insufficiently sanitized settings that execute when other users view affected pages. The vulnerability requires high privileges and only manifests in multisite WordPress installations or those with unfiltered HTML disabled. No patch is currently available.
Stored XSS in the WordPress Custom Logo plugin through version 2.2 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users. This affects multi-site WordPress installations and single-site setups where unfiltered_html is disabled, requiring high-privilege attacker access but enabling persistent script injection across affected pages.
Stored XSS in WP Social Meta plugin through 1.0.1 allows authenticated administrators to inject malicious scripts into WordPress admin settings that execute for all users viewing affected pages, impacting multi-site installations and configurations with disabled unfiltered_html. The vulnerability requires high administrative privileges and complex exploitation conditions, making practical attacks unlikely despite network accessibility.
The TP2WP Importer plugin for WordPress contains a stored cross-site scripting vulnerability in the attachment importer settings that allows authenticated administrators to inject malicious scripts through the 'Watched domains' textarea due to inadequate input sanitization and output escaping. When other users access the affected settings page, the injected scripts execute in their browsers, potentially allowing administrators to perform unauthorized actions or steal sensitive data. The vulnerability affects all versions up to and including 1.1 with no patch currently available.
Livemesh Addons for Beaver Builder (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Arbitrary command execution in WPGraphQL's GitHub Actions workflow allows attackers with pull request creation privileges to inject shell commands through unvalidated pull request body content, potentially compromising the build environment and repository integrity. The vulnerability affects WPGraphQL versions prior to 2.9.1 and requires low privileges and user interaction to exploit. No patch is currently available for affected deployments.
Unauthenticated attackers can exploit a path traversal vulnerability in WP Responsive Images plugin for WordPress (all versions up to 1.0) through the 'src' parameter to read arbitrary files from the server. This allows unauthorized access to sensitive information stored on affected WordPress installations. No patch is currently available.
The Events Calendar plugin for WordPress through version 6.15.16 fails to properly validate user capabilities in REST API endpoints, allowing authenticated contributors and higher-privileged users to modify or delete events, organizers, and venues without proper authorization. This capability check bypass affects all installations with the vulnerable plugin version and enables authenticated attackers with lower-level access to cause data integrity issues and service disruption. No patch is currently available for this medium-severity vulnerability.
The Disable Admin Notices - Hide Dashboard Notifications WordPress plugin up to version 1.4.2 lacks proper CSRF protection in its `showPageContent()` function, allowing unauthenticated attackers to inject arbitrary URLs into the blocked redirects list by tricking site administrators into clicking a malicious link. This could enable an attacker to redirect site traffic or manipulate administrator settings without explicit authorization. No patch is currently available for this medium-severity vulnerability.
Secure Copy Content Protection and Content Locking (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Protected post metadata injection in Post Duplicator plugin for WordPress allows authenticated contributors and higher-privileged users to arbitrarily set sensitive meta keys like _wp_page_template on duplicated posts by bypassing WordPress's standard metadata protection mechanisms. The vulnerability exists in versions up to 3.0.8 due to direct database insertion instead of using WordPress's protected metadata validation function. Attackers can exploit this through the customMetaData parameter in the REST API endpoint to manipulate post properties and potentially compromise site functionality.
WP Recipe Maker (WordPress plugin) is affected by authorization bypass through user-controlled key (CVSS 4.3).
Authenticated WordPress users with Author-level or higher privileges can exploit a Server-Side Request Forgery vulnerability in the Responsive Lightbox & Gallery plugin (versions up to 2.7.1) due to improper hostname validation in the image upload function. This allows attackers to send arbitrary web requests from the vulnerable server to internal services, potentially exposing or modifying sensitive information within the network. The vulnerability affects all versions up to 2.7.1 with no patch currently available.
Unauthenticated attackers can execute SQL injection attacks against WordPress sites running Geo Mashup plugin versions up to 1.13.17 by manipulating the 'sort' parameter, allowing unauthorized database access and extraction of sensitive information. The vulnerability stems from inadequate input validation and query preparation in the plugin code. No patch is currently available, leaving affected installations at risk until an update is released.
Remote code execution in Advanced Woo Labels plugin for WordPress through version 2.37 allows authenticated users with Contributor access or higher to execute arbitrary PHP functions and system commands via an unsanitized callback parameter in an AJAX handler. The vulnerability stems from improper use of call_user_func_array() without adequate input validation or capability restrictions. No patch is currently available for this high-severity flaw affecting WordPress environments.
Unauthenticated attackers can forge authentication tokens in the WPGSI: Spreadsheet Integration plugin for WordPress (versions up to 3.8.3) due to missing capability checks and weak token validation that relies only on Base64-encoded, unsigned user data. This allows remote attackers to create, modify, and delete arbitrary WordPress posts and pages without authentication. No patch is currently available.
Stored XSS in Rise Blocks WordPress plugin versions up to 3.7 allows authenticated contributors and above to inject malicious scripts into pages through the logoTag Site Identity block attribute due to inadequate input sanitization. The injected scripts execute in the browsers of all users who access the compromised pages, potentially leading to credential theft, session hijacking, or malware distribution. No patch is currently available.
The Responsive Lightbox & Gallery WordPress plugin before 2.6.1 is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments are enabled and then approved. [CVSS 8.8 HIGH]
Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions.
Critical vulnerability in ElementsKit Elementor Addons WordPress plugin allows unauthenticated access to critical functions. CVSS 10.0 affecting a widely-used WordPress plugin with 1M+ installations.
Unauthenticated attackers can manipulate email routing and redirection in The Plus Addons for Elementor plugin for WordPress versions up to 6.4.7 by tampering with the 'email_data' parameter in an AJAX handler that lacks proper cryptographic verification. This allows attackers to trigger unauthorized email relay and redirect users to attacker-controlled sites without authentication. No patch is currently available for this medium-severity vulnerability.
Conditional CAPTCHA WordPre versions up to 4.0.0 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).
Unauthenticated attackers can delete migrated courses in WordPress sites running LearnPress Export Import versions up to 4.1.0 due to missing capability checks in the data deletion function, provided Tutor LMS is also installed. This allows unauthorized data loss with low complexity exploitation requiring network access. No patch is currently available for this medium-severity vulnerability.
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. [CVSS 6.5 MEDIUM]
Missing authorization controls in the tychesoftwares Print Invoice & Delivery Notes plugin for WooCommerce (versions up to 5.8.0) allow unauthenticated attackers to manipulate access control settings and modify invoice or delivery note data. The vulnerability affects WordPress sites running this plugin and could result in unauthorized data modification. A patch is not currently available.
WP Job Portal versions 2.4.4 and earlier contain an authorization bypass flaw that allows unauthenticated attackers to access sensitive information by exploiting improperly configured access controls. An attacker can remotely exploit this vulnerability without user interaction to gain unauthorized visibility into restricted data. No patch is currently available for this vulnerability.
Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by php remote file inclusion (CVSS 8.1).
Dotstore Woocommerce Category Banner Management banner-management-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).
PersianScript Persian Woocommerce SMS persian-woocommerce-sms is affected by cross-site scripting (xss) (CVSS 7.1).
realvirtualmx RVCFDI para Woocommerce rvcfdi-para-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).
AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify is affected by missing authorization (CVSS 6.5).
vanquish WooCommerce Bulk Product Editor woocommerce-quick-product-editor is affected by missing authorization (CVSS 7.1).
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 7.5 HIGH]
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 8.6 HIGH]
XforWooCommerce Product Filter for WooCommerce prdctfltr contains a security vulnerability (CVSS 7.3).
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 7.7 HIGH]
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 8.6 HIGH]
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Portfolio Builder swp-portfolio allows PHP Local File Inclusion.This issue affects Portfolio Builder: from n/a through <= 1.2.5. [CVSS 8.1 HIGH]
GT3themes SOHO - Photography WordPress Theme soho is affected by cross-site scripting (xss) (CVSS 7.1).
GT3themes Oyster - Photography WordPress Theme oyster is affected by cross-site scripting (xss) (CVSS 7.1).
magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).
Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).
primersoftware Primer MyData for Woocommerce primer-mydata contains a security vulnerability (CVSS 5.3).
Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Reflected XSS.This issue affects Slimstat Analytics: from n/a through <= 5.3.2. [CVSS 7.1 HIGH]
Bas Schuiling FeedWordPress Advanced Filters faf is affected by cross-site scripting (xss) (CVSS 7.1).
Missing Authorization vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ELEX WordPress HelpDesk & Customer Ticketing System: from n/a through <= 3.3.5. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in Saiful Islam Sync Master Sheet – Product Sync with Google Sheet for WooCommerce product-sync-master-sheet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sync Master Sheet – Product Sync with Google Sheet for WooCommerce: from n/a through <= 1.1.3.
WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product is affected by php remote file inclusion (CVSS 6.3).
Unrestricted file upload in Wiguard (wiguard) WordPress theme allows uploading web shells for remote code execution.
Mollie Mollie Payments for WooCommerce mollie-payments-for-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).
Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0. [CVSS 6.5 MEDIUM]
Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in Addonify Addonify - WooCommerce Wishlist addonify-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify - WooCommerce Wishlist: from n/a through <= 2.0.15. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in Addonify Addonify – Compare Products For WooCommerce addonify-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify – Compare Products For WooCommerce: from n/a through <= 1.1.17. [CVSS 6.5 MEDIUM]
soporteblue Plugin BlueX for WooCommerce bluex-for-woocommerce is affected by missing authorization (CVSS 6.3).
vanquish User Extra Fields wp-user-extra-fields is affected by cross-site scripting (xss) (CVSS 7.1).
knitpay UPI QR Code Payment Gateway for WooCommerce upi-qr-code-payment-for-woocommerce is affected by missing authorization (CVSS 6.5).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Wizard Cloak wp-wizard-cloak allows Reflected XSS.This issue affects WP Wizard Cloak: from n/a through <= 1.0.1. [CVSS 7.1 HIGH]
Stored XSS in Master Addons For Elementor plugin (WordPress versions up to 2.1.1) allows authenticated contributors and above to inject malicious scripts into pages through the 'ma_el_bh_table_btn_text' parameter due to insufficient input sanitization. When other users access affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.
The Survey Maker WordPress plugin through version 5.1.7.7 is vulnerable to reflected cross-site scripting (XSS) that requires user interaction to exploit. An attacker can craft a malicious link to inject arbitrary JavaScript into a victim's browser session, potentially allowing credential theft or malicious actions within WordPress. No patch is currently available, leaving affected installations at risk.
The Quiz Maker plugin for WordPress versions up to 6.7.1.7 allows authenticated contributors and higher-privileged users to inject persistent JavaScript through the `vc_quizmaker` shortcode due to inadequate input validation, enabling malicious script execution in pages viewed by other users. The vulnerability requires WPBakery Page Builder to be active and has no available patch. An attacker with contributor access can deface content or steal sensitive information from site visitors.
Authenticated users can modify email configurations in YayMail for WooCommerce through version 4.3.2 due to missing authorization checks on access control settings. An attacker with low-level WordPress user privileges could alter email templates or settings without proper permissions. No patch is currently available for this vulnerability.
Product Table and List Builder for WooCommerce Lite (WordPress plugin) is affected by sql injection (CVSS 7.5).
Unauthenticated attackers can exploit time-based SQL injection in wpForo Forum plugin for WordPress versions up to 2.4.14 through the 'wpfob' parameter to extract sensitive database information. The vulnerability stems from insufficient input sanitization and improper SQL query preparation, allowing attackers to inject arbitrary SQL commands without authentication. No patch is currently available.
The Dealia - Request a Quote WordPress plugin through version 1.0.6 allows authenticated contributors and above to inject malicious scripts into pages via improperly escaped Gutenberg block attributes. An attacker with contributor-level access can embed arbitrary JavaScript that executes when users view the affected pages, potentially compromising user sessions and data. No patch is currently available.
Stored XSS in the Client Testimonial Slider WordPress plugin through version 2.0 allows administrators to inject malicious scripts into the 'Testimonial Heading' setting due to inadequate input sanitization. The injected scripts execute when users view affected pages, impacting multi-site WordPress installations or sites with unfiltered_html disabled. Currently no patch is available.
Simple Membership (WordPress plugin) versions up to 4.7.0 contains a security vulnerability (CVSS 6.5).
Radio by Sonaar versions up to 4.0 is affected by authorization bypass through user-controlled key (CVSS 5.3).
PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce is affected by missing authorization (CVSS 5.3).
villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer is affected by php remote file inclusion (CVSS 7.5).
The WP-CORS WordPress plugin through version 0.2.2 contains an authorization bypass that allows authenticated users to modify content due to improperly configured access controls. An attacker with valid WordPress credentials could exploit this to make unauthorized changes to website data. No patch is currently available for this vulnerability.
crgeary JAMstack Deployments wp-jamstack-deployments is affected by missing authorization (CVSS 4.3).
Improper access control in WP Job Manager through version 2.4.0 permits unauthenticated attackers to access sensitive information by bypassing authorization checks. The vulnerability affects WordPress sites running the vulnerable plugin and could allow unauthorized disclosure of job-related data. No patch is currently available.
The Update URLs WordPress plugin through version 1.4.0 contains an open redirect vulnerability that allows unauthenticated attackers to craft malicious links redirecting users to arbitrary external sites, enabling phishing attacks. The vulnerability requires user interaction to click a crafted link but has no patch currently available. Affected WordPress sites using this plugin should upgrade or disable it immediately.
WP Wand AI Content Generation plugin for WordPress versions up to 1.3.07 contains an authorization bypass that allows authenticated users to modify or disable plugin functionality through improper access control enforcement. An attacker with user-level credentials can exploit this vulnerability to cause service disruption or data integrity issues. No patch is currently available.
WP-Lister Lite for eBay through version 3.8.5 contains a missing authorization vulnerability allowing unauthenticated remote attackers to bypass access controls and gain unauthorized information disclosure. The improper access control configuration enables attackers to exploit the plugin's functionality without proper authentication or permissions. No patch is currently available for affected WordPress installations.
WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite is affected by missing authorization (CVSS 4.3).
DOM-based cross-site scripting in VeronaLabs WP SMS plugin version 7.1 and earlier for WordPress allows authenticated attackers with high privileges to execute arbitrary JavaScript in users' browsers through improper input handling. An attacker could exploit this vulnerability to steal session cookies, perform unauthorized actions on behalf of users, or deface web pages. No patch is currently available for this vulnerability.
Melapress WP Activity Log wp-security-audit-log is affected by cross-site scripting (xss) (CVSS 6.5).
The rtMedia plugin for WordPress versions up to 4.7.8 exposes sensitive system information through an information disclosure vulnerability that allows unauthenticated remote attackers to retrieve embedded data. This vulnerability affects WordPress installations using rtMedia with BuddyPress and bbPress extensions, potentially exposing confidential system details to unauthorized users. No patch is currently available for this medium-severity issue.
Wisernotify team WiserReview Product Reviews for WooCommerce wiser-review is affected by missing authorization (CVSS 4.3).
WP Messiah TOP Table Of Contents top-table-of-contents is affected by missing authorization (CVSS 4.3).
The Alma payment gateway plugin for WooCommerce versions up to 5.16.1 contains an authorization bypass that allows unauthenticated attackers to modify data through improper access control enforcement. WordPress sites using this plugin are at risk of unauthorized changes to payment-related settings or configurations. A patch is not currently available, making immediate mitigation through plugin disabling or version control necessary.
WP Swings Ultimate Gift Cards For WooCommerce woo-gift-cards-lite is affected by missing authorization (CVSS 5.3).
YITHEMES YITH WooCommerce Compare yith-woocommerce-compare is affected by deserialization of untrusted data (CVSS 7.2).
The Dealia - Request a quote WordPress plugin fails to properly validate user permissions on AJAX endpoints, allowing authenticated users with Contributor-level access or higher to reset plugin configuration by exploiting an exposed admin nonce. An attacker with basic edit_posts capability can bypass the capability check and modify critical plugin settings without administrative privileges. The vulnerability affects all versions up to 1.0.6 and currently has no available patch.
Stored cross-site scripting in the WordPress XML-RPC Attacks Blocker plugin up to version 1.0 allows unauthenticated attackers to inject malicious scripts via the X-Forwarded-For HTTP header, which are then executed when administrators access the debug log page. The vulnerability stems from improper handling of untrusted header data without output escaping. No patch is currently available.
Complete data destruction in WordPress via the News Element Elementor Blog Magazine plugin (versions up to 1.0.8) due to insufficient authorization checks on an AJAX function, allowing authenticated users with Subscriber-level privileges to truncate core database tables and delete the uploads directory. The vulnerability requires user authentication but no additional interaction, making it exploitable by any low-privileged WordPress user with no patch currently available.
Stored XSS in WordPress Slidorion plugin through version 1.0.2 allows administrators to inject malicious scripts via insufficiently sanitized settings that execute when other users view affected pages. The vulnerability requires high privileges and only manifests in multisite WordPress installations or those with unfiltered HTML disabled. No patch is currently available.