WordPress
Monthly
Cross-site request forgery in WP Swings Wallet System for WooCommerce plugin through version 2.6.7 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious web pages. The vulnerability affects all installations of the plugin up to and including version 2.6.7, with no public exploit code identified at time of analysis, though the low EPSS score (0.02%) suggests minimal real-world exploitation likelihood despite the straightforward attack mechanism.
Cross-site request forgery (CSRF) in Toast Plugins Animator WordPress plugin versions through 3.0.16 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge. The vulnerability affects the scroll-triggered-animations plugin and carries low exploitation probability (EPSS 0.02%, 6th percentile) with no active exploitation confirmed. While CSRF vulnerabilities typically require social engineering to trick users into visiting malicious pages, this issue could be leveraged to modify plugin settings or website content if a site administrator visits an attacker-controlled page.
Cross-site request forgery (CSRF) in Restaurant Menu by MotoPress WordPress plugin versions up to 2.4.6 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting malicious web pages. The vulnerability affects the plugin's core request handling and lacks CVSS score data, but EPSS analysis indicates low exploitation probability (0.02%, 6th percentile). No public exploit code or active exploitation has been identified.
News Kit Elementor Addons WordPress plugin version 1.3.4 and earlier contains a missing authorization vulnerability that allows attackers to exploit incorrectly configured access control, potentially bypassing security restrictions on protected functionality. The vulnerability stems from improper access control checks and affects a widely-distributed WordPress plugin used for news content management within Elementor page builder environments. While CVSS scoring is unavailable, the EPSS score of 0.07% indicates low real-world exploitation probability at time of analysis, and no public exploit code or active exploitation has been confirmed.
Cross-site request forgery (CSRF) in Webba Appointment Booking plugin (webba-booking-lite) through version 5.1.20 allows unauthenticated attackers to perform unwanted actions on behalf of authenticated users by crafting malicious requests. The vulnerability affects the WordPress plugin and carries a low exploitation probability (EPSS 0.02%, percentile 6%), with no public exploit code identified at the time of analysis.
Cross-site request forgery in Tribulant Software Newsletters (newsletters-lite) plugin versions up to 4.10 allows attackers to perform unauthorized administrative actions by tricking authenticated users into visiting malicious pages. The vulnerability affects a widely-distributed WordPress plugin with no CVSS vector or CVSS score assigned, though EPSS scoring indicates minimal real-world exploitation probability (0.02%, 6th percentile). No public exploit code or active exploitation has been confirmed.
Cross-site request forgery (CSRF) in BlocksWP Theme Builder For Elementor plugin versions through 1.2.3 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability lacks a published CVSS score and shows minimal exploitation probability (0.02% EPSS), with no public exploit code or active exploitation reported, suggesting limited real-world risk despite the security-conscious WordPress ecosystem.
Cross-Site Request Forgery (CSRF) vulnerability in WesternDeal WooCommerce Google Sheet Connector plugin versions up to 1.3.20 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated WordPress administrators. The plugin fails to implement proper CSRF token validation on critical functionality, enabling attackers to craft malicious requests that execute actions without explicit user consent. Although EPSS scoring indicates low exploitation probability (0.02%), CSRF vulnerabilities targeting WordPress admin functions represent a meaningful risk in multi-admin environments where social engineering can trick administrators into visiting attacker-controlled pages.
SQL injection in QuanticaLabs GymBase Theme Classes WordPress plugin versions up to 1.4 enables unauthenticated remote attackers to execute arbitrary SQL queries against the underlying database. The vulnerability exists in the gymbase_classes component and carries an EPSS score of 0.05% (16th percentile), indicating very low exploitation probability despite the critical nature of SQL injection flaws. No public exploit code or active exploitation has been identified at the time of analysis.
DOM-based cross-site scripting (XSS) in WPAdverts WordPress plugin versions 2.2.5 and earlier allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability enables arbitrary JavaScript execution in the context of affected websites, potentially leading to session hijacking, credential theft, or malware distribution. No active exploitation has been confirmed, and EPSS probability remains low at 0.04%.
DOM-based cross-site scripting (XSS) vulnerability in WP Delicious plugin versions 1.8.4 and earlier allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation, enabling stored or reflected XSS attacks against WordPress sites using the affected plugin. No CVSS score or exploitation data is available, but the low EPSS score (0.04%) suggests limited real-world exploitation probability at the time of analysis.
Cross-site request forgery (CSRF) in the RelyWP Coupon Affiliates WordPress plugin (woo-coupon-usage) through version 6.4.0 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. The vulnerability affects the plugin's coupon management functionality and requires user interaction (tricking an admin into visiting a malicious page), but carries negligible real-world exploitation probability per EPSS scoring (0.02%, 6th percentile).
Erik AntiSpam for Contact Form 7 plugin versions through 0.6.3 fails to implement proper CSRF token validation, allowing attackers to forge requests that modify plugin settings or trigger unintended actions on behalf of authenticated administrators. The vulnerability affects WordPress installations with this plugin active, though the extremely low EPSS score (0.02%) suggests practical exploitation barriers or limited real-world impact despite the CVSS categorization.
Missing authorization controls in CreativeMindsSolutions CM Pop-Up banners WordPress plugin versions 1.8.4 and earlier allow unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from improper implementation of access control checks on sensitive functionality, enabling attackers to perform unauthorized actions through direct API or parameter manipulation without requiring valid credentials or proper authorization validation.
DOM-based cross-site scripting (XSS) in Kyle Gilman Videopack plugin for WordPress (versions up to 4.10.3) allows authenticated attackers to inject malicious scripts into video embed pages. The vulnerability improperly neutralizes user input during web page generation, enabling attackers to execute arbitrary JavaScript in the context of affected video pages. No active exploitation has been confirmed, and the EPSS score of 0.04% indicates minimal probability of exploitation.
Stored cross-site scripting (XSS) in Welcart e-Commerce WordPress plugin versions 2.11.16 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising administrator accounts or customer data. The vulnerability exists in the web page generation process where user input is not properly sanitized before being stored and rendered to other users. No public exploit code or active exploitation has been confirmed, but the low EPSS score (0.04%) suggests limited real-world attack probability despite the XSS classification.
Cross-site request forgery (CSRF) vulnerability in WordPress FluentSnippets plugin versions up to 10.50 allows unauthenticated attackers to execute unwanted actions on behalf of authenticated users without their knowledge or consent. The vulnerability affects the easy-code-manager component and has a low exploitation probability (EPSS 0.03%), but CSRF attacks typically require social engineering to trick users into visiting a malicious site, making real-world impact dependent on site traffic and user behavior rather than technical exploitability alone.
Stored cross-site scripting (XSS) in Crocoblock JetSmartFilters WordPress plugin through version 3.6.8 allows attackers to inject persistent malicious scripts that execute in the browsers of site administrators and users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to compromise site integrity and steal sensitive data or session tokens. No public exploit code has been identified at the time of analysis, and the low EPSS score (0.04%, 13th percentile) suggests limited real-world exploitation likelihood despite the high-severity XSS classification.
Stored cross-site scripting (XSS) in Bold Page Builder WordPress plugin through version 5.4.1 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability stems from improper input neutralization during page generation, enabling attackers with page creation or editing capabilities to embed persistent XSS payloads. No public exploit code or active exploitation has been confirmed; the low EPSS score (0.04th percentile) reflects limited real-world attack probability despite the vulnerability's presence in a widely-installed page builder plugin.
Missing authorization controls in favethemes Houzez WordPress theme through version 4.0.4 allow unauthenticated attackers to bypass access control restrictions and access resources they should not be permitted to view. The vulnerability stems from incorrectly configured access control security levels that fail to properly validate user permissions before granting access to sensitive functionality. With an EPSS score of 0.05% (17th percentile), real-world exploitation risk is low despite the vulnerability's presence in a popular real estate theme.
Stored cross-site scripting (XSS) in Crocoblock JetSearch WordPress plugin versions 3.5.10.1 and earlier allows attackers to inject malicious scripts that persist in the application and execute in users' browsers when the affected pages are viewed. The vulnerability resides in improper input neutralization during web page generation, enabling attackers with sufficient permissions to store XSS payloads that compromise other users' sessions and data. No public exploit code or active exploitation has been confirmed; however, the low EPSS score (0.04%, 13th percentile) suggests limited real-world attack probability despite the persistent nature of the vulnerability.
Stored XSS vulnerability in Crocoblock JetPopup WordPress plugin up to version 2.0.15.1 allows authenticated attackers to inject malicious scripts that execute in the browsers of site visitors and administrators. The vulnerability exists in web page generation logic where user input is not properly sanitized before being rendered, enabling persistent script injection. Despite low EPSS score (0.04%), stored XSS in WordPress plugins poses significant risk due to broad exposure to site visitors and the potential for session hijacking, credential theft, or privilege escalation when executed in admin contexts.
Improper input neutralization in Crocoblock JetPopup plugin (versions up to 2.0.15) allows DOM-based cross-site scripting (XSS) attacks. The vulnerability enables attackers to inject and execute malicious JavaScript in the context of a web browser when a user interacts with a popup, potentially leading to session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed; the low EPSS score (0.04%, 13th percentile) suggests minimal real-world exploitation likelihood despite the vulnerability being disclosed.
Stored cross-site scripting (XSS) in Crocoblock JetTricks WordPress plugin versions up to 1.5.4.1 allows authenticated attackers to inject malicious scripts that persist in the application and execute in the browsers of other users. The vulnerability stems from improper input sanitization during web page generation, enabling attackers with plugin access to compromise site visitors. No public exploit code or active exploitation has been identified at the time of analysis.
Stored cross-site scripting in Crocoblock JetBlocks For Elementor plugin versions up to 1.3.19 enables authenticated attackers to inject malicious scripts into web pages that execute in the browsers of site visitors and administrators. The vulnerability resides in improper input sanitization during page generation, allowing persistent XSS payload storage in the WordPress database. No public exploit code has been identified at time of analysis, though the low EPSS score (0.04%) suggests limited real-world exploitation despite the stored XSS vector.
Missing authorization controls in themeisle Hestia WordPress theme through version 3.2.10 allow unauthenticated attackers to access functionality that should be restricted by access control lists, enabling potential unauthorized actions within affected WordPress installations. The vulnerability has a low exploitation probability (EPSS 0.06%) and no confirmed active exploitation or public exploit code at time of analysis.
Stored XSS vulnerability in Crocoblock JetTabs WordPress plugin version 2.2.9 and earlier allows authenticated attackers to inject malicious scripts into web pages, which execute in the browsers of site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling persistent payload storage and site-wide impact. No public exploit code or active exploitation has been confirmed, and the low EPSS score (0.04%) suggests limited real-world exploitation probability despite the persistent nature of stored XSS.
Stored cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin version 2.7.7 and earlier allows authenticated users to inject malicious scripts into web pages that execute in the browsers of other users viewing the affected content. The vulnerability exists in the plugin's input handling during web page generation, enabling persistent XSS attacks through stored payloads. While no public exploit code has been identified, the low EPSS score (0.04%) suggests limited real-world exploitation likelihood despite the moderate attack surface of WordPress plugins.
SQL injection vulnerability in YayCommerce SMTP for SendGrid (YaySMTP) WordPress plugin version 1.5 and earlier allows authenticated attackers to execute arbitrary SQL commands against the plugin's database queries. The vulnerability enables data exfiltration, modification, or deletion depending on database permissions. EPSS score of 0.05% indicates low exploitation probability despite the SQL injection classification.
Stored cross-site scripting (XSS) in Easy Elementor Addons WordPress plugin through version 2.2.5 allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising administrator accounts or website functionality. The vulnerability affects the plugin's web page generation process and has been confirmed by security researchers at Patchstack, though no evidence of active exploitation or public exploit code is documented.
Server-Side Request Forgery (SSRF) in FG Drupal to WordPress plugin versions 3.90.0 and earlier allows remote attackers to make arbitrary HTTP requests from the affected WordPress server, potentially accessing internal services, cloud metadata endpoints, or other backend resources. The vulnerability has an extremely low EPSS score (0.03%, 10th percentile), indicating minimal observed exploitation probability despite public availability of vulnerability details.
Missing authorization controls in Chatbox Manager WordPress plugin versions 1.2.5 and earlier allow unauthenticated or low-privileged attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from improper implementation of role-based access checks, potentially enabling unauthorized users to access or modify sensitive chatbox functionality. With an EPSS score of 0.05% and no evidence of active exploitation, this is a lower-priority vulnerability suitable for routine patching cycles.
Missing authorization controls in the Stop and Block Bots plugin (Anti bots) for WordPress through version 1.48 allows attackers to access functionality that should be restricted by access control lists, enabling unauthorized administrative operations without proper authentication. The vulnerability is classified as broken access control (CWE-862) with low exploitation probability (EPSS 0.06%) and no confirmed active exploitation.
SQL injection vulnerability in YayCommerce YaySMTP WordPress plugin through version 1.3 allows attackers to execute arbitrary SQL commands against the plugin's database queries. The vulnerability affects the smtp-sendinblue plugin and has been reported by Patchstack security researchers; however, no public exploit code or confirmed active exploitation has been identified at this time. With an EPSS score of 0.05% (15th percentile), this represents a low exploitation probability despite the critical nature of SQL injection vulnerabilities.
Cross-site request forgery in the WordPress Import CDN-Remote Images plugin versions up to 2.1.2 enables stored cross-site scripting attacks through forged requests that bypass CSRF protections. An attacker can craft malicious requests to inject persistent JavaScript payloads into the plugin's configuration or imported content, affecting WordPress installations running vulnerable versions of the plugin. The vulnerability carries low exploitation probability (EPSS 0.02%) and no public exploit code has been identified.
Missing authorization controls in the Real Estate Property 2024 Create Your Own Fields and Search Bar WordPress plugin (versions up to 4.48) permit unauthenticated or low-privileged users to access functionality and data intended for higher privilege levels. The vulnerability stems from inadequately configured access control checks on plugin endpoints, allowing attackers to bypass intended security boundaries. With an EPSS score of 0.05% (17th percentile), real-world exploitation risk is minimal, and no public exploit code or active exploitation has been identified.
Arbitrary file deletion in Counter live visitors for WooCommerce plugin (WordPress) versions ≤1.3.6 allows unauthenticated attackers to delete entire directories on the server through insufficient path validation in wcvisitor_get_block function. Exploitation wipes all files within targeted directories, causing data loss or denial of service. Attack requires no authentication (CVSS PR:N). No public exploit identified at time of analysis.
Arbitrary file deletion in Malcure Malware Scanner for WordPress (versions ≤17.0) permits authenticated attackers with Subscriber-level privileges to delete critical system files via wpmr_delete_file() function lacking capability checks. Exploitation enables path traversal to wp-config.php or other core files, creating conditions for remote code execution through redeployment of malicious files. Vulnerability active only when plugin's advanced mode enabled. Affects authenticated low-privilege users (PR:L). No public exploit identified at time of analysis.
Stored cross-site scripting in Affiliate Reviews plugin for WordPress (versions up to 1.0.6) allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript via the 'numColumns' parameter, which executes in the browsers of any user viewing the affected page. The vulnerability stems from insufficient input sanitization and output escaping in the block-reviews-grid-style.php template. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting (XSS) in the Brandfolder WordPress plugin up to version 5.0.19 allows authenticated attackers with Contributor-level permissions or above to inject arbitrary JavaScript via the 'id' parameter, which executes in the browser context of any user accessing the affected page. The vulnerability stems from insufficient input sanitization and output escaping. No public exploit code or active exploitation has been confirmed at the time of analysis; however, the low attack complexity and requirement only for Contributor-level authentication make this a practical risk in multi-user WordPress environments. A patched version (5.0.20) is available from the vendor.
Arbitrary file movement in HT Contact Form Widget for Elementor & Gutenberg (WordPress plugin) allows unanatuhenticated remote attackers to relocate server files including wp-config.php, enabling remote code execution. Affects all versions through 2.2.1. Vulnerability stems from insufficient path validation in handle_files_upload() function. No public exploit identified at time of analysis, low observed exploitation activity.
Arbitrary file deletion in HT Contact Form Widget For Elementor (WordPress plugin) allows unanetworks attackers to remove critical server files, enabling remote code execution. Affecting all versions through 2.2.1, the vulnerability stems from insufficient path validation in temp_file_delete(), permitting deletion of wp-config.php or other essential files. CVSS 9.1 (Critical) with network attack vector, low complexity, and no authentication required. Vendor patch available (changeset 3326887). No public exploit identified at time of analysis, though the attack path is straightforward for skilled adversaries.
Unauthenticated remote code execution in HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks plugin (all versions ≤2.2.1) allows attackers to upload arbitrary files to the WordPress server. Missing file type validation in temp_file_upload() function enables unrestricted file uploads, permitting execution of malicious scripts. Critical severity (CVSS 9.8) due to network-accessible attack vector requiring no authentication or user interaction. No public exploit identified at time of analysis.
Remote code execution via arbitrary plugin upload in Alone - Charity Multipurpose Non-profit WordPress Theme up to version 7.8.3 allows unauthenticated attackers to upload malicious zip files containing webshells through the alone_import_pack_install_plugin() function, achieving complete server compromise. This critical vulnerability (CVSS 9.8) stems from missing capability checks, enabling attackers to bypass all authentication requirements. No public exploit identified at time of analysis, though the attack is technically straightforward given the unauthenticated attack vector and low complexity (AC:L).
Unauthenticated arbitrary file deletion in Alone WordPress theme versions ≤7.8.5 enables remote attackers to achieve code execution by deleting critical files like wp-config.php. The vulnerability stems from insufficient path validation in the alone_import_pack_restore_data() function, exploitable over the network with low complexity and no user interaction required. Partial fix released in version 7.8.5; fully addressed in version 7.8.7. EPSS data and KEV status not provided in available intelligence, but the unauthenticated remote attack vector and direct path to RCE represent critical risk for sites running affected versions.
The Modern Events Calendar Lite plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'wp_ajax_mec_load_single_page' AJAX action in all versions up to, and including, 6.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable on sites with addslashes disabled.
The AIT CSV Import/Export WordPress plugin through version 3.0.3 allows unauthorized arbitrary file uploads without file type validation. The upload handler in upload-handler.php is accessible without authentication, enabling remote attackers to deploy PHP webshells and achieve code execution on the WordPress server.
The Total Upkeep WordPress backup plugin through version 1.14.9 exposes backup file locations via env-info.php and restore-info.json. Unauthenticated attackers can discover and download complete site backups containing the database, wp-config.php with credentials, and all uploaded files.
The RSFirewall! plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.1.42 via the get_local_filename() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulnerability. Attackers can upload PHP files disguised with image extensions and then rename them back to .php using the plugin's built-in rename functionality, bypassing all upload restrictions.
The Friends plugin for WordPress versions up to 3.5.1 contains a PHP Object Injection vulnerability in the query_vars parameter that allows authenticated subscribers and above to inject malicious serialized objects through unsafe deserialization. While the plugin itself lacks a known gadget chain (POP chain), successful exploitation depends on the presence of vulnerable code in other installed plugins or themes; if such a chain exists, attackers can achieve arbitrary file deletion, data exfiltration, or remote code execution, but exploitation requires knowledge of the site's SALT_NONCE and SALT_KEY values.
A remote code execution vulnerability in all (CVSS 8.8). High severity vulnerability requiring prompt remediation.
The Nokri - Job Board WordPress Theme contains a critical privilege escalation vulnerability (CVE-2025-1313) affecting all versions up to 1.6.3, where authenticated Subscriber-level users can change arbitrary user email addresses without proper identity validation. This allows attackers to reset administrator passwords and achieve complete account takeover, resulting in full WordPress site compromise. With a CVSS score of 8.8 and low attack complexity requiring only valid subscriber credentials, this vulnerability poses significant real-world risk to WordPress installations using this theme.
The WPBookit WordPress plugin (versions ≤1.0.4) contains a critical arbitrary file upload vulnerability in the image_upload_handle() function due to missing file type validation, allowing unauthenticated attackers to upload malicious files and potentially achieve remote code execution. With a CVSS score of 9.8, network-accessible attack vector, and no authentication requirement, this vulnerability poses an immediate and severe threat to any WordPress installation using the affected plugin.
WPBookit WordPress plugin versions up to 1.0.4 contain an arbitrary file upload vulnerability in the handle_image_upload() function due to missing file type validation, allowing authenticated attackers with Subscriber-level privileges to upload malicious files and potentially achieve remote code execution. This is a high-severity vulnerability (CVSS 8.8) affecting a plugin likely used by booking/appointment management websites, with low attack complexity and no user interaction required once authenticated.
A SSRF vulnerability in for WordPress is vulnerable to Server-Side Request Forgery in all (CVSS 7.2). High severity vulnerability requiring prompt remediation. Vendor patch is available.
A remote code execution vulnerability in for WordPress is vulnerable to CSV Injection in all (CVSS 4.1). Remediation should follow standard vulnerability management procedures.
A SQL injection vulnerability in WPGYM - Wordpress Gym Management System (CVSS 7.5). High severity vulnerability requiring prompt remediation.
The WoodMart plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 8.2.5 via the woodmart_get_posts_by_query() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
The FooGallery - Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption-title` & `data-caption-description` HTML attributes in all versions up to, and including, 2.4.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WPC Smart Compare for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shortcode_btn' shortcode in all versions up to, and including, 6.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WP Register Profile With Shortcode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'rp_user_data' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from user meta like hashed passwords, usernames, and more.
The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery - Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'upload[1][title]' parameter in all versions up to, and including, 26.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The GB Forms DB plugin for WordPress contains a critical unauthenticated Remote Code Execution vulnerability in the gbfdb_talk_to_front() function, affecting all versions up to 1.0.2. The vulnerability stems from unsanitized user input passed directly to call_user_func(), allowing attackers to execute arbitrary PHP code without authentication. This can be leveraged to inject backdoors, create administrative accounts, or achieve full server compromise.
The GeoDirectory WordPress plugin before 2.8.120 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
A security vulnerability in Order Delivery Date WordPress (CVSS 4.3). Risk factors: public PoC available.
The Premium Age Verification / Restriction for WordPress plugin contains an insufficiently protected remote support functionality in remote_tunnel.php that allows unauthenticated attackers to read from or write to arbitrary files on affected servers. This critical vulnerability (CVSS 9.8) affects all versions up to and including 3.0.2, potentially enabling sensitive information disclosure or remote code execution without authentication. Given the critical CVSS score and network-accessible attack vector, this vulnerability should be treated as high priority pending confirmation of KEV status and active exploitation.
The Lana Downloads Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the endpoint parameters in versions up to, and including, 1.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Hostel WordPress plugin before 1.1.5.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
The Hostel WordPress plugin before 1.1.5.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
The Gwolle Guestbook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘gwolle_gb_content’ parameter in all versions up to, and including, 4.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
The Events Manager - Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Events Manager - Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘calendar_header’ parameter in all versions up to, and including, 7.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
The Events Manager - Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 7.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The SureForms - Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of file_exists() in the delete_entry_files() function without restriction on the path provided. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
The SureForms - Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
The Simple Featured Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slideshow’ parameter in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
The Gutenberg Blocks with AI by Kadence WP - Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘redirectURL’ parameter in all versions up to, and including, 3.5.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Pie Register WordPress plugin versions up to 3.7.1.4 contain an authentication bypass that allows unauthenticated attackers to log in as any user including administrators. By submitting a crafted POST request with social_site=true and a target user_id_social_site value, attackers generate valid WordPress sessions for arbitrary accounts.
The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated.
The Support Board plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the sb_file_delete function in all versions up to, and including, 3.8.0. This makes it possible for attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). An attacker can leverage CVE-2025-4855 vulnerability to exploit this vulnerability unauthenticated.
The WCFM - Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys
The The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode through the woodmart_get_products_shortcode() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
The WoodMart plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.2.3 via the 'layout' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php files can be uploaded and included.
The Woodmart theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'multiple_markers' attribute in all versions up to, and including, 8.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Widget for Google Reviews plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.15 via the layout parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This is limited to just PHP files.
A security vulnerability in all (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
The Lightbox & Modal Popup WordPress Plugin - FooBox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alternative texts in all versions up to, and including, 2.7.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Cross-site request forgery in WP Swings Wallet System for WooCommerce plugin through version 2.6.7 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious web pages. The vulnerability affects all installations of the plugin up to and including version 2.6.7, with no public exploit code identified at time of analysis, though the low EPSS score (0.02%) suggests minimal real-world exploitation likelihood despite the straightforward attack mechanism.
Cross-site request forgery (CSRF) in Toast Plugins Animator WordPress plugin versions through 3.0.16 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge. The vulnerability affects the scroll-triggered-animations plugin and carries low exploitation probability (EPSS 0.02%, 6th percentile) with no active exploitation confirmed. While CSRF vulnerabilities typically require social engineering to trick users into visiting malicious pages, this issue could be leveraged to modify plugin settings or website content if a site administrator visits an attacker-controlled page.
Cross-site request forgery (CSRF) in Restaurant Menu by MotoPress WordPress plugin versions up to 2.4.6 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting malicious web pages. The vulnerability affects the plugin's core request handling and lacks CVSS score data, but EPSS analysis indicates low exploitation probability (0.02%, 6th percentile). No public exploit code or active exploitation has been identified.
News Kit Elementor Addons WordPress plugin version 1.3.4 and earlier contains a missing authorization vulnerability that allows attackers to exploit incorrectly configured access control, potentially bypassing security restrictions on protected functionality. The vulnerability stems from improper access control checks and affects a widely-distributed WordPress plugin used for news content management within Elementor page builder environments. While CVSS scoring is unavailable, the EPSS score of 0.07% indicates low real-world exploitation probability at time of analysis, and no public exploit code or active exploitation has been confirmed.
Cross-site request forgery (CSRF) in Webba Appointment Booking plugin (webba-booking-lite) through version 5.1.20 allows unauthenticated attackers to perform unwanted actions on behalf of authenticated users by crafting malicious requests. The vulnerability affects the WordPress plugin and carries a low exploitation probability (EPSS 0.02%, percentile 6%), with no public exploit code identified at the time of analysis.
Cross-site request forgery in Tribulant Software Newsletters (newsletters-lite) plugin versions up to 4.10 allows attackers to perform unauthorized administrative actions by tricking authenticated users into visiting malicious pages. The vulnerability affects a widely-distributed WordPress plugin with no CVSS vector or CVSS score assigned, though EPSS scoring indicates minimal real-world exploitation probability (0.02%, 6th percentile). No public exploit code or active exploitation has been confirmed.
Cross-site request forgery (CSRF) in BlocksWP Theme Builder For Elementor plugin versions through 1.2.3 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability lacks a published CVSS score and shows minimal exploitation probability (0.02% EPSS), with no public exploit code or active exploitation reported, suggesting limited real-world risk despite the security-conscious WordPress ecosystem.
Cross-Site Request Forgery (CSRF) vulnerability in WesternDeal WooCommerce Google Sheet Connector plugin versions up to 1.3.20 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated WordPress administrators. The plugin fails to implement proper CSRF token validation on critical functionality, enabling attackers to craft malicious requests that execute actions without explicit user consent. Although EPSS scoring indicates low exploitation probability (0.02%), CSRF vulnerabilities targeting WordPress admin functions represent a meaningful risk in multi-admin environments where social engineering can trick administrators into visiting attacker-controlled pages.
SQL injection in QuanticaLabs GymBase Theme Classes WordPress plugin versions up to 1.4 enables unauthenticated remote attackers to execute arbitrary SQL queries against the underlying database. The vulnerability exists in the gymbase_classes component and carries an EPSS score of 0.05% (16th percentile), indicating very low exploitation probability despite the critical nature of SQL injection flaws. No public exploit code or active exploitation has been identified at the time of analysis.
DOM-based cross-site scripting (XSS) in WPAdverts WordPress plugin versions 2.2.5 and earlier allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability enables arbitrary JavaScript execution in the context of affected websites, potentially leading to session hijacking, credential theft, or malware distribution. No active exploitation has been confirmed, and EPSS probability remains low at 0.04%.
DOM-based cross-site scripting (XSS) vulnerability in WP Delicious plugin versions 1.8.4 and earlier allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation, enabling stored or reflected XSS attacks against WordPress sites using the affected plugin. No CVSS score or exploitation data is available, but the low EPSS score (0.04%) suggests limited real-world exploitation probability at the time of analysis.
Cross-site request forgery (CSRF) in the RelyWP Coupon Affiliates WordPress plugin (woo-coupon-usage) through version 6.4.0 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. The vulnerability affects the plugin's coupon management functionality and requires user interaction (tricking an admin into visiting a malicious page), but carries negligible real-world exploitation probability per EPSS scoring (0.02%, 6th percentile).
Erik AntiSpam for Contact Form 7 plugin versions through 0.6.3 fails to implement proper CSRF token validation, allowing attackers to forge requests that modify plugin settings or trigger unintended actions on behalf of authenticated administrators. The vulnerability affects WordPress installations with this plugin active, though the extremely low EPSS score (0.02%) suggests practical exploitation barriers or limited real-world impact despite the CVSS categorization.
Missing authorization controls in CreativeMindsSolutions CM Pop-Up banners WordPress plugin versions 1.8.4 and earlier allow unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from improper implementation of access control checks on sensitive functionality, enabling attackers to perform unauthorized actions through direct API or parameter manipulation without requiring valid credentials or proper authorization validation.
DOM-based cross-site scripting (XSS) in Kyle Gilman Videopack plugin for WordPress (versions up to 4.10.3) allows authenticated attackers to inject malicious scripts into video embed pages. The vulnerability improperly neutralizes user input during web page generation, enabling attackers to execute arbitrary JavaScript in the context of affected video pages. No active exploitation has been confirmed, and the EPSS score of 0.04% indicates minimal probability of exploitation.
Stored cross-site scripting (XSS) in Welcart e-Commerce WordPress plugin versions 2.11.16 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising administrator accounts or customer data. The vulnerability exists in the web page generation process where user input is not properly sanitized before being stored and rendered to other users. No public exploit code or active exploitation has been confirmed, but the low EPSS score (0.04%) suggests limited real-world attack probability despite the XSS classification.
Cross-site request forgery (CSRF) vulnerability in WordPress FluentSnippets plugin versions up to 10.50 allows unauthenticated attackers to execute unwanted actions on behalf of authenticated users without their knowledge or consent. The vulnerability affects the easy-code-manager component and has a low exploitation probability (EPSS 0.03%), but CSRF attacks typically require social engineering to trick users into visiting a malicious site, making real-world impact dependent on site traffic and user behavior rather than technical exploitability alone.
Stored cross-site scripting (XSS) in Crocoblock JetSmartFilters WordPress plugin through version 3.6.8 allows attackers to inject persistent malicious scripts that execute in the browsers of site administrators and users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to compromise site integrity and steal sensitive data or session tokens. No public exploit code has been identified at the time of analysis, and the low EPSS score (0.04%, 13th percentile) suggests limited real-world exploitation likelihood despite the high-severity XSS classification.
Stored cross-site scripting (XSS) in Bold Page Builder WordPress plugin through version 5.4.1 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability stems from improper input neutralization during page generation, enabling attackers with page creation or editing capabilities to embed persistent XSS payloads. No public exploit code or active exploitation has been confirmed; the low EPSS score (0.04th percentile) reflects limited real-world attack probability despite the vulnerability's presence in a widely-installed page builder plugin.
Missing authorization controls in favethemes Houzez WordPress theme through version 4.0.4 allow unauthenticated attackers to bypass access control restrictions and access resources they should not be permitted to view. The vulnerability stems from incorrectly configured access control security levels that fail to properly validate user permissions before granting access to sensitive functionality. With an EPSS score of 0.05% (17th percentile), real-world exploitation risk is low despite the vulnerability's presence in a popular real estate theme.
Stored cross-site scripting (XSS) in Crocoblock JetSearch WordPress plugin versions 3.5.10.1 and earlier allows attackers to inject malicious scripts that persist in the application and execute in users' browsers when the affected pages are viewed. The vulnerability resides in improper input neutralization during web page generation, enabling attackers with sufficient permissions to store XSS payloads that compromise other users' sessions and data. No public exploit code or active exploitation has been confirmed; however, the low EPSS score (0.04%, 13th percentile) suggests limited real-world attack probability despite the persistent nature of the vulnerability.
Stored XSS vulnerability in Crocoblock JetPopup WordPress plugin up to version 2.0.15.1 allows authenticated attackers to inject malicious scripts that execute in the browsers of site visitors and administrators. The vulnerability exists in web page generation logic where user input is not properly sanitized before being rendered, enabling persistent script injection. Despite low EPSS score (0.04%), stored XSS in WordPress plugins poses significant risk due to broad exposure to site visitors and the potential for session hijacking, credential theft, or privilege escalation when executed in admin contexts.
Improper input neutralization in Crocoblock JetPopup plugin (versions up to 2.0.15) allows DOM-based cross-site scripting (XSS) attacks. The vulnerability enables attackers to inject and execute malicious JavaScript in the context of a web browser when a user interacts with a popup, potentially leading to session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed; the low EPSS score (0.04%, 13th percentile) suggests minimal real-world exploitation likelihood despite the vulnerability being disclosed.
Stored cross-site scripting (XSS) in Crocoblock JetTricks WordPress plugin versions up to 1.5.4.1 allows authenticated attackers to inject malicious scripts that persist in the application and execute in the browsers of other users. The vulnerability stems from improper input sanitization during web page generation, enabling attackers with plugin access to compromise site visitors. No public exploit code or active exploitation has been identified at the time of analysis.
Stored cross-site scripting in Crocoblock JetBlocks For Elementor plugin versions up to 1.3.19 enables authenticated attackers to inject malicious scripts into web pages that execute in the browsers of site visitors and administrators. The vulnerability resides in improper input sanitization during page generation, allowing persistent XSS payload storage in the WordPress database. No public exploit code has been identified at time of analysis, though the low EPSS score (0.04%) suggests limited real-world exploitation despite the stored XSS vector.
Missing authorization controls in themeisle Hestia WordPress theme through version 3.2.10 allow unauthenticated attackers to access functionality that should be restricted by access control lists, enabling potential unauthorized actions within affected WordPress installations. The vulnerability has a low exploitation probability (EPSS 0.06%) and no confirmed active exploitation or public exploit code at time of analysis.
Stored XSS vulnerability in Crocoblock JetTabs WordPress plugin version 2.2.9 and earlier allows authenticated attackers to inject malicious scripts into web pages, which execute in the browsers of site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling persistent payload storage and site-wide impact. No public exploit code or active exploitation has been confirmed, and the low EPSS score (0.04%) suggests limited real-world exploitation probability despite the persistent nature of stored XSS.
Stored cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin version 2.7.7 and earlier allows authenticated users to inject malicious scripts into web pages that execute in the browsers of other users viewing the affected content. The vulnerability exists in the plugin's input handling during web page generation, enabling persistent XSS attacks through stored payloads. While no public exploit code has been identified, the low EPSS score (0.04%) suggests limited real-world exploitation likelihood despite the moderate attack surface of WordPress plugins.
SQL injection vulnerability in YayCommerce SMTP for SendGrid (YaySMTP) WordPress plugin version 1.5 and earlier allows authenticated attackers to execute arbitrary SQL commands against the plugin's database queries. The vulnerability enables data exfiltration, modification, or deletion depending on database permissions. EPSS score of 0.05% indicates low exploitation probability despite the SQL injection classification.
Stored cross-site scripting (XSS) in Easy Elementor Addons WordPress plugin through version 2.2.5 allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising administrator accounts or website functionality. The vulnerability affects the plugin's web page generation process and has been confirmed by security researchers at Patchstack, though no evidence of active exploitation or public exploit code is documented.
Server-Side Request Forgery (SSRF) in FG Drupal to WordPress plugin versions 3.90.0 and earlier allows remote attackers to make arbitrary HTTP requests from the affected WordPress server, potentially accessing internal services, cloud metadata endpoints, or other backend resources. The vulnerability has an extremely low EPSS score (0.03%, 10th percentile), indicating minimal observed exploitation probability despite public availability of vulnerability details.
Missing authorization controls in Chatbox Manager WordPress plugin versions 1.2.5 and earlier allow unauthenticated or low-privileged attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from improper implementation of role-based access checks, potentially enabling unauthorized users to access or modify sensitive chatbox functionality. With an EPSS score of 0.05% and no evidence of active exploitation, this is a lower-priority vulnerability suitable for routine patching cycles.
Missing authorization controls in the Stop and Block Bots plugin (Anti bots) for WordPress through version 1.48 allows attackers to access functionality that should be restricted by access control lists, enabling unauthorized administrative operations without proper authentication. The vulnerability is classified as broken access control (CWE-862) with low exploitation probability (EPSS 0.06%) and no confirmed active exploitation.
SQL injection vulnerability in YayCommerce YaySMTP WordPress plugin through version 1.3 allows attackers to execute arbitrary SQL commands against the plugin's database queries. The vulnerability affects the smtp-sendinblue plugin and has been reported by Patchstack security researchers; however, no public exploit code or confirmed active exploitation has been identified at this time. With an EPSS score of 0.05% (15th percentile), this represents a low exploitation probability despite the critical nature of SQL injection vulnerabilities.
Cross-site request forgery in the WordPress Import CDN-Remote Images plugin versions up to 2.1.2 enables stored cross-site scripting attacks through forged requests that bypass CSRF protections. An attacker can craft malicious requests to inject persistent JavaScript payloads into the plugin's configuration or imported content, affecting WordPress installations running vulnerable versions of the plugin. The vulnerability carries low exploitation probability (EPSS 0.02%) and no public exploit code has been identified.
Missing authorization controls in the Real Estate Property 2024 Create Your Own Fields and Search Bar WordPress plugin (versions up to 4.48) permit unauthenticated or low-privileged users to access functionality and data intended for higher privilege levels. The vulnerability stems from inadequately configured access control checks on plugin endpoints, allowing attackers to bypass intended security boundaries. With an EPSS score of 0.05% (17th percentile), real-world exploitation risk is minimal, and no public exploit code or active exploitation has been identified.
Arbitrary file deletion in Counter live visitors for WooCommerce plugin (WordPress) versions ≤1.3.6 allows unauthenticated attackers to delete entire directories on the server through insufficient path validation in wcvisitor_get_block function. Exploitation wipes all files within targeted directories, causing data loss or denial of service. Attack requires no authentication (CVSS PR:N). No public exploit identified at time of analysis.
Arbitrary file deletion in Malcure Malware Scanner for WordPress (versions ≤17.0) permits authenticated attackers with Subscriber-level privileges to delete critical system files via wpmr_delete_file() function lacking capability checks. Exploitation enables path traversal to wp-config.php or other core files, creating conditions for remote code execution through redeployment of malicious files. Vulnerability active only when plugin's advanced mode enabled. Affects authenticated low-privilege users (PR:L). No public exploit identified at time of analysis.
Stored cross-site scripting in Affiliate Reviews plugin for WordPress (versions up to 1.0.6) allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript via the 'numColumns' parameter, which executes in the browsers of any user viewing the affected page. The vulnerability stems from insufficient input sanitization and output escaping in the block-reviews-grid-style.php template. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting (XSS) in the Brandfolder WordPress plugin up to version 5.0.19 allows authenticated attackers with Contributor-level permissions or above to inject arbitrary JavaScript via the 'id' parameter, which executes in the browser context of any user accessing the affected page. The vulnerability stems from insufficient input sanitization and output escaping. No public exploit code or active exploitation has been confirmed at the time of analysis; however, the low attack complexity and requirement only for Contributor-level authentication make this a practical risk in multi-user WordPress environments. A patched version (5.0.20) is available from the vendor.
Arbitrary file movement in HT Contact Form Widget for Elementor & Gutenberg (WordPress plugin) allows unanatuhenticated remote attackers to relocate server files including wp-config.php, enabling remote code execution. Affects all versions through 2.2.1. Vulnerability stems from insufficient path validation in handle_files_upload() function. No public exploit identified at time of analysis, low observed exploitation activity.
Arbitrary file deletion in HT Contact Form Widget For Elementor (WordPress plugin) allows unanetworks attackers to remove critical server files, enabling remote code execution. Affecting all versions through 2.2.1, the vulnerability stems from insufficient path validation in temp_file_delete(), permitting deletion of wp-config.php or other essential files. CVSS 9.1 (Critical) with network attack vector, low complexity, and no authentication required. Vendor patch available (changeset 3326887). No public exploit identified at time of analysis, though the attack path is straightforward for skilled adversaries.
Unauthenticated remote code execution in HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks plugin (all versions ≤2.2.1) allows attackers to upload arbitrary files to the WordPress server. Missing file type validation in temp_file_upload() function enables unrestricted file uploads, permitting execution of malicious scripts. Critical severity (CVSS 9.8) due to network-accessible attack vector requiring no authentication or user interaction. No public exploit identified at time of analysis.
Remote code execution via arbitrary plugin upload in Alone - Charity Multipurpose Non-profit WordPress Theme up to version 7.8.3 allows unauthenticated attackers to upload malicious zip files containing webshells through the alone_import_pack_install_plugin() function, achieving complete server compromise. This critical vulnerability (CVSS 9.8) stems from missing capability checks, enabling attackers to bypass all authentication requirements. No public exploit identified at time of analysis, though the attack is technically straightforward given the unauthenticated attack vector and low complexity (AC:L).
Unauthenticated arbitrary file deletion in Alone WordPress theme versions ≤7.8.5 enables remote attackers to achieve code execution by deleting critical files like wp-config.php. The vulnerability stems from insufficient path validation in the alone_import_pack_restore_data() function, exploitable over the network with low complexity and no user interaction required. Partial fix released in version 7.8.5; fully addressed in version 7.8.7. EPSS data and KEV status not provided in available intelligence, but the unauthenticated remote attack vector and direct path to RCE represent critical risk for sites running affected versions.
The Modern Events Calendar Lite plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'wp_ajax_mec_load_single_page' AJAX action in all versions up to, and including, 6.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable on sites with addslashes disabled.
The AIT CSV Import/Export WordPress plugin through version 3.0.3 allows unauthorized arbitrary file uploads without file type validation. The upload handler in upload-handler.php is accessible without authentication, enabling remote attackers to deploy PHP webshells and achieve code execution on the WordPress server.
The Total Upkeep WordPress backup plugin through version 1.14.9 exposes backup file locations via env-info.php and restore-info.json. Unauthenticated attackers can discover and download complete site backups containing the database, wp-config.php with credentials, and all uploaded files.
The RSFirewall! plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.1.42 via the get_local_filename() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulnerability. Attackers can upload PHP files disguised with image extensions and then rename them back to .php using the plugin's built-in rename functionality, bypassing all upload restrictions.
The Friends plugin for WordPress versions up to 3.5.1 contains a PHP Object Injection vulnerability in the query_vars parameter that allows authenticated subscribers and above to inject malicious serialized objects through unsafe deserialization. While the plugin itself lacks a known gadget chain (POP chain), successful exploitation depends on the presence of vulnerable code in other installed plugins or themes; if such a chain exists, attackers can achieve arbitrary file deletion, data exfiltration, or remote code execution, but exploitation requires knowledge of the site's SALT_NONCE and SALT_KEY values.
A remote code execution vulnerability in all (CVSS 8.8). High severity vulnerability requiring prompt remediation.
The Nokri - Job Board WordPress Theme contains a critical privilege escalation vulnerability (CVE-2025-1313) affecting all versions up to 1.6.3, where authenticated Subscriber-level users can change arbitrary user email addresses without proper identity validation. This allows attackers to reset administrator passwords and achieve complete account takeover, resulting in full WordPress site compromise. With a CVSS score of 8.8 and low attack complexity requiring only valid subscriber credentials, this vulnerability poses significant real-world risk to WordPress installations using this theme.
The WPBookit WordPress plugin (versions ≤1.0.4) contains a critical arbitrary file upload vulnerability in the image_upload_handle() function due to missing file type validation, allowing unauthenticated attackers to upload malicious files and potentially achieve remote code execution. With a CVSS score of 9.8, network-accessible attack vector, and no authentication requirement, this vulnerability poses an immediate and severe threat to any WordPress installation using the affected plugin.
WPBookit WordPress plugin versions up to 1.0.4 contain an arbitrary file upload vulnerability in the handle_image_upload() function due to missing file type validation, allowing authenticated attackers with Subscriber-level privileges to upload malicious files and potentially achieve remote code execution. This is a high-severity vulnerability (CVSS 8.8) affecting a plugin likely used by booking/appointment management websites, with low attack complexity and no user interaction required once authenticated.
A SSRF vulnerability in for WordPress is vulnerable to Server-Side Request Forgery in all (CVSS 7.2). High severity vulnerability requiring prompt remediation. Vendor patch is available.
A remote code execution vulnerability in for WordPress is vulnerable to CSV Injection in all (CVSS 4.1). Remediation should follow standard vulnerability management procedures.
A SQL injection vulnerability in WPGYM - Wordpress Gym Management System (CVSS 7.5). High severity vulnerability requiring prompt remediation.
The WoodMart plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 8.2.5 via the woodmart_get_posts_by_query() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
The FooGallery - Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption-title` & `data-caption-description` HTML attributes in all versions up to, and including, 2.4.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WPC Smart Compare for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shortcode_btn' shortcode in all versions up to, and including, 6.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WP Register Profile With Shortcode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'rp_user_data' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from user meta like hashed passwords, usernames, and more.
The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery - Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'upload[1][title]' parameter in all versions up to, and including, 26.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The GB Forms DB plugin for WordPress contains a critical unauthenticated Remote Code Execution vulnerability in the gbfdb_talk_to_front() function, affecting all versions up to 1.0.2. The vulnerability stems from unsanitized user input passed directly to call_user_func(), allowing attackers to execute arbitrary PHP code without authentication. This can be leveraged to inject backdoors, create administrative accounts, or achieve full server compromise.
The GeoDirectory WordPress plugin before 2.8.120 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
A security vulnerability in Order Delivery Date WordPress (CVSS 4.3). Risk factors: public PoC available.
The Premium Age Verification / Restriction for WordPress plugin contains an insufficiently protected remote support functionality in remote_tunnel.php that allows unauthenticated attackers to read from or write to arbitrary files on affected servers. This critical vulnerability (CVSS 9.8) affects all versions up to and including 3.0.2, potentially enabling sensitive information disclosure or remote code execution without authentication. Given the critical CVSS score and network-accessible attack vector, this vulnerability should be treated as high priority pending confirmation of KEV status and active exploitation.
The Lana Downloads Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the endpoint parameters in versions up to, and including, 1.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Hostel WordPress plugin before 1.1.5.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
The Hostel WordPress plugin before 1.1.5.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
The Gwolle Guestbook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘gwolle_gb_content’ parameter in all versions up to, and including, 4.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
The Events Manager - Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Events Manager - Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘calendar_header’ parameter in all versions up to, and including, 7.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
The Events Manager - Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 7.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The SureForms - Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of file_exists() in the delete_entry_files() function without restriction on the path provided. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
The SureForms - Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
The Simple Featured Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slideshow’ parameter in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
The Gutenberg Blocks with AI by Kadence WP - Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘redirectURL’ parameter in all versions up to, and including, 3.5.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Pie Register WordPress plugin versions up to 3.7.1.4 contain an authentication bypass that allows unauthenticated attackers to log in as any user including administrators. By submitting a crafted POST request with social_site=true and a target user_id_social_site value, attackers generate valid WordPress sessions for arbitrary accounts.
The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated.
The Support Board plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the sb_file_delete function in all versions up to, and including, 3.8.0. This makes it possible for attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). An attacker can leverage CVE-2025-4855 vulnerability to exploit this vulnerability unauthenticated.
The WCFM - Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys
The The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode through the woodmart_get_products_shortcode() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
The WoodMart plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.2.3 via the 'layout' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php files can be uploaded and included.
The Woodmart theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'multiple_markers' attribute in all versions up to, and including, 8.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Widget for Google Reviews plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.15 via the layout parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This is limited to just PHP files.
A security vulnerability in all (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
The Lightbox & Modal Popup WordPress Plugin - FooBox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alternative texts in all versions up to, and including, 2.7.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.