WordPress
Monthly
The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on several functions in all versions up to, and including, 19.9.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to change the email address for the account connection, and disconnect the plugin. Previously created content will still be displayed and functional if the account is disconnected.
The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (versions ≤1.3.8.9) contains an unrestricted file upload vulnerability allowing unauthenticated attackers to bypass file type blacklists and upload dangerous file extensions (.phar, etc.). On servers configured to execute .phar files as PHP (common in default Apache+mod_php setups), this enables remote code execution with high impact to confidentiality, integrity, and availability (CVSS 8.1). While KEV and EPSS data are not provided, the vulnerability is actively exploitable given its public disclosure and network-accessible attack vector.
The Ivory Search WordPress plugin before 5.5.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to SQL Injection via the ‘prgSortPostType’ parameter in all versions up to, and including, 8.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The WordPress Infinite Scroll - Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-button-label HTML attribute in all versions up to, and including, 7.4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Wise Chat WordPress plugin versions up to 3.3.4 contains a Stored Cross-Site Scripting (XSS) vulnerability in the X-Forwarded-For header processing that allows unauthenticated attackers to inject malicious scripts without authentication or user interaction. When vulnerable pages are accessed by site visitors, the injected scripts execute in their browsers, potentially enabling credential theft, session hijacking, or malware distribution. This vulnerability has a CVSS score of 7.2 (High) and affects all publicly-facing WordPress installations running the affected plugin versions.
The Slider, Gallery, and Carousel by MetaSlider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘aria-label’ parameter in all versions up to, and including, 3.98.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ssa_admin_upcoming_appointments, ssa_admin_upcoming_appointments, and ssa_past_appointments shortcodes in all versions up to, and including, 1.6.8.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Restrict File Access plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.2 via the output() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
The Image Resizer On The Fly WordPress plugin (versions ≤1.1) contains a critical arbitrary file deletion vulnerability in its 'delete' task that allows unauthenticated attackers to remove arbitrary files from the server without authentication. This vulnerability can facilitate remote code execution by deleting critical files such as wp-config.php, leading to complete WordPress installation compromise. With a CVSS score of 9.1 and network-accessible attack vector requiring no user interaction or privileges, this represents a critical risk to all unpatched installations.
The WP URL Shortener plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the 'url_shortener_settings' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The XiSearch bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6. This is due to missing or incorrect nonce validation on the 'xisearch-key-config' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Yougler Blogger Profile Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, v1.01. This is due to missing or incorrect nonce validation on the 'yougler-plugin.php' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The kk Youtube Video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'kkytv' shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Zen Sticky Social plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing or incorrect nonce validation on the 'zen-social-sticky/zen-sticky-social.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Easy Flashcards plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1. This is due to missing or incorrect nonce validation on the 'ef_settings_submenu' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘status-classic-offline-text’ parameter in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Click to Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-no_number’ parameter in all versions up to, and including, 4.22 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The AI Image Lab - Free AI Image Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on the 'wpz-ai-images' page. This makes it possible for unauthenticated attackers to update the plugin's API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The DIOT SCADA with MQTT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'diot' shortcode in all versions up to, and including, 1.0.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A remote code execution vulnerability in all (CVSS 8.1). High severity vulnerability requiring prompt remediation.
The UserPro - Community and User Profile WordPress Plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 5.1.10 via the userpro_fbconnect() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
AutomatorWP plugin for WordPress versions up to 5.2.3 contains a time-based SQL injection vulnerability in the field_conditions parameter that allows authenticated administrators and higher-privileged users to extract sensitive database information through insufficient input escaping and lack of prepared statements. While the CVSS score of 7.2 is moderately high, exploitation requires administrator-level access, significantly limiting real-world attack surface; no active exploitation in the wild has been confirmed at this time.
A remote code execution vulnerability in File Manager Pro - Filester (CVSS 7.2). High severity vulnerability requiring prompt remediation.
The Seraphinite Accelerator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.27.21. This is due to missing or incorrect nonce validation on the 'OnAdminApi_CacheOpBegin' function. This makes it possible for unauthenticated attackers to perform several administrative actions, including deleting the cache, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Auto Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
The Game Review Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 4.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A security vulnerability in all (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
The WP Travel Engine plugin for WordPress contains a missing capability check in the delete_package() function, allowing unauthenticated attackers to delete arbitrary posts without authentication. This vulnerability affects all versions up to and including 6.5.1 and results in unauthorized data loss with a CVSS score of 7.5. The vulnerability is network-accessible with no user interaction required, making it a significant integrity risk for WordPress installations running vulnerable plugin versions.
The IndieBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘kind’ parameter in all versions up to, and including, 0.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Telegram for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
The Digital Marketing and Agency Templates Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the import_templates() function. This makes it possible for unauthenticated attackers to trigger an import via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The WP2HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The WP Sliding Login/Dashboard Panel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the wp_sliding_panel_user_options() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Link Shield plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5.4. This is due to missing or incorrect nonce validation on the link_shield_menu_options() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The ACF Onyx Poll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class’ parameter in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The REST API | Custom API Generator For Cross Platform And Import Export plugin for WordPress (versions 1.0.0-2.0.3) contains a critical privilege escalation vulnerability where the process_handler() function lacks capability checks, allowing unauthenticated attackers to create administrator accounts via malicious JSON imports. With a CVSS score of 9.8 and network-based attack vector requiring no user interaction, this is a severe, likely actively exploited vulnerability affecting any WordPress installation using vulnerable plugin versions.
The Color Palette plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hex’ parameter in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Contact Us Page - Contact People plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 3.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmcalendarview' shortcode in all versions up to, and including, 1.2.17 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmflat' shortcode in all versions up to, and including, 1.2.17 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmeventlist' shortcode in all versions up to, and including, 1.2.17 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WordPress Single Sign-On (SSO) plugin for WordPress is vulnerable to unauthorized access due to a misconfigured capability check on a function in all versions up to, and including, the *.5.3 versions of the plugin. This makes it possible for unauthenticated attackers to extract sensitive data including site content that has been restricted to certain users and/or roles.
A file upload vulnerability in all (CVSS 8.8). High severity vulnerability requiring prompt remediation.
A authentication bypass vulnerability in all (CVSS 9.8). Critical severity with potential for significant impact on affected systems.
The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-date-*’ parameters in all versions up to, and including, 6.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Xagio SEO plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to 7.1.0.16 that allows unauthenticated attackers to inject malicious scripts via the HTTP_REFERER parameter. When users access pages containing injected payloads, the scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. The vulnerability was only partially patched in version 7.1.0.0, indicating that complete mitigation requires upgrading to a version beyond 7.1.0.16.
CubeWP - All-in-One Dynamic Content Framework plugin for WordPress versions up to 1.1.23 contains a privilege escalation vulnerability that allows authenticated attackers with Subscriber-level access to elevate their privileges to administrator through arbitrary user meta manipulation. The vulnerability exploits improper access controls on the update_user_meta() function, enabling account takeover and full site compromise. No active exploitation in the wild has been confirmed at this time, but the low attack complexity and high impact make this a critical remediation priority.
The WordPress Automatic Plugin (all versions up to 3.115.0) contains an arbitrary file upload vulnerability in core.php due to insufficient file type validation, allowing authenticated attackers with Author-level or higher privileges to upload malicious files and potentially achieve remote code execution. This is a high-severity vulnerability (CVSS 8.8) affecting a widely-deployed WordPress plugin; real-world exploitation requires valid WordPress credentials at Author level or above, but successful exploitation enables complete server compromise.
WP-DownloadManager plugin for WordPress versions up to 1.68.10 contains an arbitrary file deletion vulnerability (CVE-2025-4799) that allows authenticated administrators to delete any file on the server without directory restrictions. When paired with CVE-2025-4798, attackers can delete critical files like wp-config.php, leading to remote code execution. The vulnerability requires high-privilege administrative access, resulting in a CVSS 7.2 score with high confidentiality, integrity, and availability impact.
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.68.10. This is due to a lack of restriction on the directory an administrator can select for storing downloads. This makes it possible for authenticated attackers, with Administrator-level access and above, to download and read any file on the server, including system and configuration files.
The Zotpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nickname’ parameter in all versions up to, and including, 7.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Cross-Site Request Forgery (CSRF) vulnerability in WPFactory Min Max Step Quantity Limits Manager for WooCommerce allows Cross Site Request Forgery.This issue affects Min Max Step Quantity Limits Manager for WooCommerce: from n/a through 5.1.0.
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-countdown attribute of Countdown widget in all versions up to, and including, 4.11.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Smash Balloon Social Post Feed - Simple Social Feeds for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-color attribute in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Ultimate Blocks - WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A arbitrary file access vulnerability (CVSS 8.8). Risk factors: public PoC available.
A SQL injection vulnerability in through 1.0.0 does not properly sanitise and escape a parameter (CVSS 7.5). Risk factors: public PoC available.
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_text’ parameter in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Bunny’s Print CSS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.95. This is due to missing or incorrect nonce validation on the pcss_options_subpanel() function. This makes it possible for unauthenticated attackers to update settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The RH - Real Estate WordPress Theme contains an Improper Access Control vulnerability (CWE-269) that allows authenticated subscribers and higher-privileged users to escalate their account privileges to administrator level through the inspiry_update_profile() function. All versions up to and including 4.4.0 are affected; versions 4.4.0 contain a partial patch while 4.4.1 provides complete remediation. With a CVSS score of 8.8 and network-based attack vector requiring only low-privilege authentication, this represents a critical privilege escalation risk for any WordPress installation using this theme.
The Abandoned Cart Pro for WooCommerce plugin (versions ≤9.16.0) contains an authenticated arbitrary file upload vulnerability in the wcap_add_to_cart_popup_upload_files function that lacks file type validation. Authenticated attackers with subscriber-level privileges can upload arbitrary files to the server, potentially enabling remote code execution depending on server configuration. This is a high-severity vulnerability (CVSS 8.8) affecting WooCommerce e-commerce sites; exploitation requires valid user credentials but no user interaction.
Missing Authorization (CWE-862) vulnerability in WP Swings Membership For WooCommerce that allows unauthenticated attackers to access functionality not properly constrained by Access Control Lists (ACLs). The vulnerability affects versions up to and including 2.8.1 of this WordPress/WooCommerce plugin, enabling unauthorized users to bypass membership restrictions and potentially access premium features or sensitive membership data without valid credentials. With a CVSS score of 7.5 and a network-accessible attack vector requiring no privileges or user interaction, this represents a significant exposure risk for e-commerce sites relying on this plugin for membership management.
CVE-2025-48129 is an Incorrect Privilege Assignment vulnerability (CWE-266) in Holest Engineering's Spreadsheet Price Changer for WooCommerce and WP E-commerce - Light plugin that allows unauthenticated remote attackers to escalate privileges and gain complete control over affected WordPress installations. The vulnerability affects versions up to and including 2.4.37, with a critical CVSS 9.8 score indicating network-exploitable, low-complexity privilege escalation requiring no authentication or user interaction. Active exploitation status and proof-of-concept availability would significantly elevate real-world risk given the plugin's direct access to WooCommerce/WP E-commerce price modification functionality.
Local File Inclusion (LFI) vulnerability in WP Event Manager WordPress plugin versions through 3.1.49 that allows unauthenticated remote attackers to include and execute arbitrary PHP files from the server filesystem. This CWE-98 vulnerability has a CVSS score of 8.1 (High severity) with high impact on confidentiality, integrity, and availability. While the vulnerability requires specific conditions (AC:H), its network accessibility and lack of authentication requirements make it a significant risk for affected WordPress installations.
A path traversal vulnerability (CWE-22) in Holest Engineering's Spreadsheet Price Changer for WooCommerce and WP E-commerce - Light plugin allows unauthenticated remote attackers to read arbitrary files from the server by manipulating file path parameters. The vulnerability affects all versions through 2.4.37 and has a CVSS score of 7.5, indicating high confidentiality impact with no authentication required. Real-world exploitability depends on confirmation of active exploitation status and proof-of-concept availability; the low attack complexity and network accessibility suggest this is a genuine, easily-exploitable threat to affected WordPress installations.
A remote code execution vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affected systems.
A critical SQL injection vulnerability (CVE-2025-48122) exists in Holest Engineering's Spreadsheet Price Changer for WooCommerce and WP E-commerce - Light plugin affecting versions through 2.4.37. An unauthenticated remote attacker can execute arbitrary SQL commands to extract sensitive database information including customer data and product details. The high CVSS score of 9.3 combined with network accessibility and no authentication requirement makes this a severe priority, particularly if the vulnerability is actively exploited or proof-of-concept code is publicly available.
A remote code execution vulnerability in sonalsinha21 Recover abandoned cart for WooCommerce allows SQL Injection (CVSS 9.3). Risk factors: EPSS 32% exploitation probability.
Missing Authorization vulnerability (CWE-862) in the Icegram Collect WordPress plugin versions up to 1.3.18 that allows authenticated attackers with low privileges to exploit misconfigured access controls. An attacker with a valid WordPress user account can modify or delete form data and potentially cause service disruption by leveraging inadequate authorization checks on sensitive operations, with no confidentiality impact but significant integrity and availability risks.
A remote code execution vulnerability in moreconvert MC Woocommerce Wishlist allows Reflected XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.
A cross-site scripting vulnerability in revmakx Backup and Staging by WP Time Capsule allows Reflected XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.
Missing Authorization vulnerability in Fahad Mahmood's Stock Locations for WooCommerce plugin (versions up to 2.8.6) that allows authenticated users with low privileges to perform unauthorized actions including information disclosure and availability disruption. An attacker with basic user credentials can bypass access controls to modify stock locations or trigger denial-of-service conditions due to improper privilege verification. This vulnerability has a CVSS score of 7.1 (High) and affects WooCommerce installations using the vulnerable plugin; KEV status and active exploitation data are not currently confirmed in public advisories.
Blind SQL Injection vulnerability in the WP Lead Capturing Pages WordPress plugin (versions through 2.3) that allows unauthenticated remote attackers to extract sensitive data from the database without leaving obvious traces. The vulnerability has a critical CVSS score of 9.3 due to its network-accessible attack vector, low complexity, and requirement for no privileges or user interaction. While specific KEV or active exploitation status is not confirmed in available intelligence, the high CVSS, blind SQL injection nature, and broad applicability across WordPress installations make this a priority for remediation.
Critical deserialization vulnerability in themeton FLAP - Business WordPress Theme (versions up to 1.5) that allows unauthenticated remote attackers to achieve arbitrary object injection without user interaction. The vulnerability has a near-perfect CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating complete compromise of confidentiality, integrity, and availability is possible. Given the network-accessible attack vector and low complexity, this represents a critical risk to all WordPress installations using vulnerable theme versions.
Critical deserialization of untrusted data vulnerability in themeton's 'The Fashion - Model Agency One Page Beauty Theme' WordPress theme (versions up to 1.4.4) that enables object injection attacks. An unauthenticated, remote attacker can exploit this with no user interaction required to achieve complete system compromise including confidentiality, integrity, and availability breaches. The CVSS 9.8 score reflects the critical nature (network-accessible, low complexity, no privileges needed, high impact across all security properties), though real-world exploitation likelihood depends on whether public POCs exist and if the vulnerability is actively being weaponized in the wild.
A remote code execution vulnerability in snstheme Valen - Sport (CVSS 8.1). High severity vulnerability requiring prompt remediation.
Blind SQL Injection vulnerability in the TicketBAI Facturas para WooCommerce plugin (versions up to 3.19) that allows unauthenticated remote attackers to execute arbitrary SQL queries. The vulnerability has a critical CVSS score of 9.3 with network-based attack vector requiring no privileges or user interaction, potentially enabling data exfiltration from WordPress database instances. Active exploitation status and proof-of-concept availability should be verified through KEV databases and security research channels.
A remote code execution vulnerability in snstheme BodyCenter - Gym (CVSS 8.1). High severity vulnerability requiring prompt remediation.
The Broadstreet WordPress plugin before 1.51.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
The Newsletter WordPress plugin before 8.8.5 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
The WpEvently plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Social Sharing Plugin - Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the heateor_mastodon_share parameter in all versions up to, and including, 3.3.75 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action, such as clicking on a link.
The Essential Addons for Elementor - Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the eael_pricing_item_tooltip_content parameter of the Pricing Table Widget in all versions up to, and including, 6.1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Essential Addons for Elementor - Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the eael_event_details_text parameter of Event Calendar Widget in all versions up to, and including, 6.1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A cross-site scripting vulnerability in all (CVSS 7.2). High severity vulnerability requiring prompt remediation.
A security vulnerability in all (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
SQL injection vulnerability in Andrei Filonov's WP Text Expander WordPress plugin (versions through 1.0.1) that allows authenticated attackers with high-privilege administrative roles to execute arbitrary SQL queries. The vulnerability has a CVSS score of 7.6 (high severity) due to its ability to achieve confidentiality compromise and limited availability impact, though it requires administrative credentials to exploit. No current KEV (Known Exploited Vulnerability) status or public proof-of-concept is indicated in the provided data, suggesting limited real-world active exploitation at present.
The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on several functions in all versions up to, and including, 19.9.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to change the email address for the account connection, and disconnect the plugin. Previously created content will still be displayed and functional if the account is disconnected.
The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (versions ≤1.3.8.9) contains an unrestricted file upload vulnerability allowing unauthenticated attackers to bypass file type blacklists and upload dangerous file extensions (.phar, etc.). On servers configured to execute .phar files as PHP (common in default Apache+mod_php setups), this enables remote code execution with high impact to confidentiality, integrity, and availability (CVSS 8.1). While KEV and EPSS data are not provided, the vulnerability is actively exploitable given its public disclosure and network-accessible attack vector.
The Ivory Search WordPress plugin before 5.5.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to SQL Injection via the ‘prgSortPostType’ parameter in all versions up to, and including, 8.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The WordPress Infinite Scroll - Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-button-label HTML attribute in all versions up to, and including, 7.4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Wise Chat WordPress plugin versions up to 3.3.4 contains a Stored Cross-Site Scripting (XSS) vulnerability in the X-Forwarded-For header processing that allows unauthenticated attackers to inject malicious scripts without authentication or user interaction. When vulnerable pages are accessed by site visitors, the injected scripts execute in their browsers, potentially enabling credential theft, session hijacking, or malware distribution. This vulnerability has a CVSS score of 7.2 (High) and affects all publicly-facing WordPress installations running the affected plugin versions.
The Slider, Gallery, and Carousel by MetaSlider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘aria-label’ parameter in all versions up to, and including, 3.98.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ssa_admin_upcoming_appointments, ssa_admin_upcoming_appointments, and ssa_past_appointments shortcodes in all versions up to, and including, 1.6.8.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Restrict File Access plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.2 via the output() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
The Image Resizer On The Fly WordPress plugin (versions ≤1.1) contains a critical arbitrary file deletion vulnerability in its 'delete' task that allows unauthenticated attackers to remove arbitrary files from the server without authentication. This vulnerability can facilitate remote code execution by deleting critical files such as wp-config.php, leading to complete WordPress installation compromise. With a CVSS score of 9.1 and network-accessible attack vector requiring no user interaction or privileges, this represents a critical risk to all unpatched installations.
The WP URL Shortener plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the 'url_shortener_settings' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The XiSearch bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6. This is due to missing or incorrect nonce validation on the 'xisearch-key-config' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Yougler Blogger Profile Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, v1.01. This is due to missing or incorrect nonce validation on the 'yougler-plugin.php' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The kk Youtube Video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'kkytv' shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Zen Sticky Social plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing or incorrect nonce validation on the 'zen-social-sticky/zen-sticky-social.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Easy Flashcards plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1. This is due to missing or incorrect nonce validation on the 'ef_settings_submenu' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘status-classic-offline-text’ parameter in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Click to Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-no_number’ parameter in all versions up to, and including, 4.22 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The AI Image Lab - Free AI Image Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on the 'wpz-ai-images' page. This makes it possible for unauthenticated attackers to update the plugin's API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The DIOT SCADA with MQTT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'diot' shortcode in all versions up to, and including, 1.0.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A remote code execution vulnerability in all (CVSS 8.1). High severity vulnerability requiring prompt remediation.
The UserPro - Community and User Profile WordPress Plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 5.1.10 via the userpro_fbconnect() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
AutomatorWP plugin for WordPress versions up to 5.2.3 contains a time-based SQL injection vulnerability in the field_conditions parameter that allows authenticated administrators and higher-privileged users to extract sensitive database information through insufficient input escaping and lack of prepared statements. While the CVSS score of 7.2 is moderately high, exploitation requires administrator-level access, significantly limiting real-world attack surface; no active exploitation in the wild has been confirmed at this time.
A remote code execution vulnerability in File Manager Pro - Filester (CVSS 7.2). High severity vulnerability requiring prompt remediation.
The Seraphinite Accelerator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.27.21. This is due to missing or incorrect nonce validation on the 'OnAdminApi_CacheOpBegin' function. This makes it possible for unauthenticated attackers to perform several administrative actions, including deleting the cache, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Auto Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
The Game Review Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 4.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A security vulnerability in all (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
The WP Travel Engine plugin for WordPress contains a missing capability check in the delete_package() function, allowing unauthenticated attackers to delete arbitrary posts without authentication. This vulnerability affects all versions up to and including 6.5.1 and results in unauthorized data loss with a CVSS score of 7.5. The vulnerability is network-accessible with no user interaction required, making it a significant integrity risk for WordPress installations running vulnerable plugin versions.
The IndieBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘kind’ parameter in all versions up to, and including, 0.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Telegram for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
The Digital Marketing and Agency Templates Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the import_templates() function. This makes it possible for unauthenticated attackers to trigger an import via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The WP2HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The WP Sliding Login/Dashboard Panel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the wp_sliding_panel_user_options() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Link Shield plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5.4. This is due to missing or incorrect nonce validation on the link_shield_menu_options() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The ACF Onyx Poll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class’ parameter in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The REST API | Custom API Generator For Cross Platform And Import Export plugin for WordPress (versions 1.0.0-2.0.3) contains a critical privilege escalation vulnerability where the process_handler() function lacks capability checks, allowing unauthenticated attackers to create administrator accounts via malicious JSON imports. With a CVSS score of 9.8 and network-based attack vector requiring no user interaction, this is a severe, likely actively exploited vulnerability affecting any WordPress installation using vulnerable plugin versions.
The Color Palette plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hex’ parameter in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Contact Us Page - Contact People plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 3.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmcalendarview' shortcode in all versions up to, and including, 1.2.17 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmflat' shortcode in all versions up to, and including, 1.2.17 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmeventlist' shortcode in all versions up to, and including, 1.2.17 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WordPress Single Sign-On (SSO) plugin for WordPress is vulnerable to unauthorized access due to a misconfigured capability check on a function in all versions up to, and including, the *.5.3 versions of the plugin. This makes it possible for unauthenticated attackers to extract sensitive data including site content that has been restricted to certain users and/or roles.
A file upload vulnerability in all (CVSS 8.8). High severity vulnerability requiring prompt remediation.
A authentication bypass vulnerability in all (CVSS 9.8). Critical severity with potential for significant impact on affected systems.
The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-date-*’ parameters in all versions up to, and including, 6.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Xagio SEO plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to 7.1.0.16 that allows unauthenticated attackers to inject malicious scripts via the HTTP_REFERER parameter. When users access pages containing injected payloads, the scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. The vulnerability was only partially patched in version 7.1.0.0, indicating that complete mitigation requires upgrading to a version beyond 7.1.0.16.
CubeWP - All-in-One Dynamic Content Framework plugin for WordPress versions up to 1.1.23 contains a privilege escalation vulnerability that allows authenticated attackers with Subscriber-level access to elevate their privileges to administrator through arbitrary user meta manipulation. The vulnerability exploits improper access controls on the update_user_meta() function, enabling account takeover and full site compromise. No active exploitation in the wild has been confirmed at this time, but the low attack complexity and high impact make this a critical remediation priority.
The WordPress Automatic Plugin (all versions up to 3.115.0) contains an arbitrary file upload vulnerability in core.php due to insufficient file type validation, allowing authenticated attackers with Author-level or higher privileges to upload malicious files and potentially achieve remote code execution. This is a high-severity vulnerability (CVSS 8.8) affecting a widely-deployed WordPress plugin; real-world exploitation requires valid WordPress credentials at Author level or above, but successful exploitation enables complete server compromise.
WP-DownloadManager plugin for WordPress versions up to 1.68.10 contains an arbitrary file deletion vulnerability (CVE-2025-4799) that allows authenticated administrators to delete any file on the server without directory restrictions. When paired with CVE-2025-4798, attackers can delete critical files like wp-config.php, leading to remote code execution. The vulnerability requires high-privilege administrative access, resulting in a CVSS 7.2 score with high confidentiality, integrity, and availability impact.
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.68.10. This is due to a lack of restriction on the directory an administrator can select for storing downloads. This makes it possible for authenticated attackers, with Administrator-level access and above, to download and read any file on the server, including system and configuration files.
The Zotpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nickname’ parameter in all versions up to, and including, 7.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Cross-Site Request Forgery (CSRF) vulnerability in WPFactory Min Max Step Quantity Limits Manager for WooCommerce allows Cross Site Request Forgery.This issue affects Min Max Step Quantity Limits Manager for WooCommerce: from n/a through 5.1.0.
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-countdown attribute of Countdown widget in all versions up to, and including, 4.11.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Smash Balloon Social Post Feed - Simple Social Feeds for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-color attribute in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Ultimate Blocks - WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A arbitrary file access vulnerability (CVSS 8.8). Risk factors: public PoC available.
A SQL injection vulnerability in through 1.0.0 does not properly sanitise and escape a parameter (CVSS 7.5). Risk factors: public PoC available.
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_text’ parameter in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Bunny’s Print CSS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.95. This is due to missing or incorrect nonce validation on the pcss_options_subpanel() function. This makes it possible for unauthenticated attackers to update settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The RH - Real Estate WordPress Theme contains an Improper Access Control vulnerability (CWE-269) that allows authenticated subscribers and higher-privileged users to escalate their account privileges to administrator level through the inspiry_update_profile() function. All versions up to and including 4.4.0 are affected; versions 4.4.0 contain a partial patch while 4.4.1 provides complete remediation. With a CVSS score of 8.8 and network-based attack vector requiring only low-privilege authentication, this represents a critical privilege escalation risk for any WordPress installation using this theme.
The Abandoned Cart Pro for WooCommerce plugin (versions ≤9.16.0) contains an authenticated arbitrary file upload vulnerability in the wcap_add_to_cart_popup_upload_files function that lacks file type validation. Authenticated attackers with subscriber-level privileges can upload arbitrary files to the server, potentially enabling remote code execution depending on server configuration. This is a high-severity vulnerability (CVSS 8.8) affecting WooCommerce e-commerce sites; exploitation requires valid user credentials but no user interaction.
Missing Authorization (CWE-862) vulnerability in WP Swings Membership For WooCommerce that allows unauthenticated attackers to access functionality not properly constrained by Access Control Lists (ACLs). The vulnerability affects versions up to and including 2.8.1 of this WordPress/WooCommerce plugin, enabling unauthorized users to bypass membership restrictions and potentially access premium features or sensitive membership data without valid credentials. With a CVSS score of 7.5 and a network-accessible attack vector requiring no privileges or user interaction, this represents a significant exposure risk for e-commerce sites relying on this plugin for membership management.
CVE-2025-48129 is an Incorrect Privilege Assignment vulnerability (CWE-266) in Holest Engineering's Spreadsheet Price Changer for WooCommerce and WP E-commerce - Light plugin that allows unauthenticated remote attackers to escalate privileges and gain complete control over affected WordPress installations. The vulnerability affects versions up to and including 2.4.37, with a critical CVSS 9.8 score indicating network-exploitable, low-complexity privilege escalation requiring no authentication or user interaction. Active exploitation status and proof-of-concept availability would significantly elevate real-world risk given the plugin's direct access to WooCommerce/WP E-commerce price modification functionality.
Local File Inclusion (LFI) vulnerability in WP Event Manager WordPress plugin versions through 3.1.49 that allows unauthenticated remote attackers to include and execute arbitrary PHP files from the server filesystem. This CWE-98 vulnerability has a CVSS score of 8.1 (High severity) with high impact on confidentiality, integrity, and availability. While the vulnerability requires specific conditions (AC:H), its network accessibility and lack of authentication requirements make it a significant risk for affected WordPress installations.
A path traversal vulnerability (CWE-22) in Holest Engineering's Spreadsheet Price Changer for WooCommerce and WP E-commerce - Light plugin allows unauthenticated remote attackers to read arbitrary files from the server by manipulating file path parameters. The vulnerability affects all versions through 2.4.37 and has a CVSS score of 7.5, indicating high confidentiality impact with no authentication required. Real-world exploitability depends on confirmation of active exploitation status and proof-of-concept availability; the low attack complexity and network accessibility suggest this is a genuine, easily-exploitable threat to affected WordPress installations.
A remote code execution vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affected systems.
A critical SQL injection vulnerability (CVE-2025-48122) exists in Holest Engineering's Spreadsheet Price Changer for WooCommerce and WP E-commerce - Light plugin affecting versions through 2.4.37. An unauthenticated remote attacker can execute arbitrary SQL commands to extract sensitive database information including customer data and product details. The high CVSS score of 9.3 combined with network accessibility and no authentication requirement makes this a severe priority, particularly if the vulnerability is actively exploited or proof-of-concept code is publicly available.
A remote code execution vulnerability in sonalsinha21 Recover abandoned cart for WooCommerce allows SQL Injection (CVSS 9.3). Risk factors: EPSS 32% exploitation probability.
Missing Authorization vulnerability (CWE-862) in the Icegram Collect WordPress plugin versions up to 1.3.18 that allows authenticated attackers with low privileges to exploit misconfigured access controls. An attacker with a valid WordPress user account can modify or delete form data and potentially cause service disruption by leveraging inadequate authorization checks on sensitive operations, with no confidentiality impact but significant integrity and availability risks.
A remote code execution vulnerability in moreconvert MC Woocommerce Wishlist allows Reflected XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.
A cross-site scripting vulnerability in revmakx Backup and Staging by WP Time Capsule allows Reflected XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.
Missing Authorization vulnerability in Fahad Mahmood's Stock Locations for WooCommerce plugin (versions up to 2.8.6) that allows authenticated users with low privileges to perform unauthorized actions including information disclosure and availability disruption. An attacker with basic user credentials can bypass access controls to modify stock locations or trigger denial-of-service conditions due to improper privilege verification. This vulnerability has a CVSS score of 7.1 (High) and affects WooCommerce installations using the vulnerable plugin; KEV status and active exploitation data are not currently confirmed in public advisories.
Blind SQL Injection vulnerability in the WP Lead Capturing Pages WordPress plugin (versions through 2.3) that allows unauthenticated remote attackers to extract sensitive data from the database without leaving obvious traces. The vulnerability has a critical CVSS score of 9.3 due to its network-accessible attack vector, low complexity, and requirement for no privileges or user interaction. While specific KEV or active exploitation status is not confirmed in available intelligence, the high CVSS, blind SQL injection nature, and broad applicability across WordPress installations make this a priority for remediation.
Critical deserialization vulnerability in themeton FLAP - Business WordPress Theme (versions up to 1.5) that allows unauthenticated remote attackers to achieve arbitrary object injection without user interaction. The vulnerability has a near-perfect CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating complete compromise of confidentiality, integrity, and availability is possible. Given the network-accessible attack vector and low complexity, this represents a critical risk to all WordPress installations using vulnerable theme versions.
Critical deserialization of untrusted data vulnerability in themeton's 'The Fashion - Model Agency One Page Beauty Theme' WordPress theme (versions up to 1.4.4) that enables object injection attacks. An unauthenticated, remote attacker can exploit this with no user interaction required to achieve complete system compromise including confidentiality, integrity, and availability breaches. The CVSS 9.8 score reflects the critical nature (network-accessible, low complexity, no privileges needed, high impact across all security properties), though real-world exploitation likelihood depends on whether public POCs exist and if the vulnerability is actively being weaponized in the wild.
A remote code execution vulnerability in snstheme Valen - Sport (CVSS 8.1). High severity vulnerability requiring prompt remediation.
Blind SQL Injection vulnerability in the TicketBAI Facturas para WooCommerce plugin (versions up to 3.19) that allows unauthenticated remote attackers to execute arbitrary SQL queries. The vulnerability has a critical CVSS score of 9.3 with network-based attack vector requiring no privileges or user interaction, potentially enabling data exfiltration from WordPress database instances. Active exploitation status and proof-of-concept availability should be verified through KEV databases and security research channels.
A remote code execution vulnerability in snstheme BodyCenter - Gym (CVSS 8.1). High severity vulnerability requiring prompt remediation.
The Broadstreet WordPress plugin before 1.51.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
The Newsletter WordPress plugin before 8.8.5 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
The WpEvently plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Social Sharing Plugin - Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the heateor_mastodon_share parameter in all versions up to, and including, 3.3.75 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action, such as clicking on a link.
The Essential Addons for Elementor - Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the eael_pricing_item_tooltip_content parameter of the Pricing Table Widget in all versions up to, and including, 6.1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Essential Addons for Elementor - Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the eael_event_details_text parameter of Event Calendar Widget in all versions up to, and including, 6.1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A cross-site scripting vulnerability in all (CVSS 7.2). High severity vulnerability requiring prompt remediation.
A security vulnerability in all (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
SQL injection vulnerability in Andrei Filonov's WP Text Expander WordPress plugin (versions through 1.0.1) that allows authenticated attackers with high-privilege administrative roles to execute arbitrary SQL queries. The vulnerability has a CVSS score of 7.6 (high severity) due to its ability to achieve confidentiality compromise and limited availability impact, though it requires administrative credentials to exploit. No current KEV (Known Exploited Vulnerability) status or public proof-of-concept is indicated in the provided data, suggesting limited real-world active exploitation at present.