WordPress
Monthly
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in esigngenie Foxit eSign for WordPress allows Retrieve Embedded Sensitive Data. This issue affects Foxit eSign for WordPress: from n/a through 2.0.3.
Unrestricted Upload of File with Dangerous Type vulnerability in Agile Logix Store Locator WordPress allows Upload a Web Shell to a Web Server. This issue affects Store Locator WordPress: from n/a through 1.5.2.
SQL injection vulnerability in Agile Logix Store Locator WordPress plugin (versions up to 1.5.1) that allows authenticated attackers with high privileges to execute arbitrary SQL commands. The vulnerability has a CVSS score of 7.6 with high confidentiality impact and limited availability impact, though it requires administrative-level privileges to exploit. The scope is changed, indicating potential impact beyond the vulnerable component itself.
SQL Injection vulnerability in GamiPress (a WordPress gamification plugin) affecting versions through 7.4.5. An authenticated attacker with high privileges can execute arbitrary SQL commands to read sensitive database information, potentially compromising data confidentiality and availability. While the CVSS score is 7.6 (high), the attack requires high privileges and there is no public indication of active exploitation in the wild.
A remote code execution vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
PHP Local File Inclusion (LFI) vulnerability in WP Travel Engine affecting versions through 6.5.1. An authenticated attacker with low privileges can exploit improper filename control in PHP include/require statements to read arbitrary files from the server, potentially obtaining sensitive configuration data, credentials, or source code. While the CVSS score is moderate (7.5), the vulnerability requires authentication and higher attack complexity, but successful exploitation could lead to complete information disclosure and potential privilege escalation.
PHP Local File Inclusion (LFI) vulnerability in Magazine3's WP Multilang plugin versions up to 2.4.19, stemming from improper control of filenames in PHP include/require statements. An authenticated attacker with low privileges can exploit this vulnerability to read arbitrary local files on the affected WordPress server, potentially leading to information disclosure, code execution, or system compromise. The CVSS score of 7.5 reflects high confidentiality and integrity impact, though exploitation requires valid credentials and non-standard conditions (AC:H).
Missing Authorization vulnerability in WebToffee Product Feed for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product Feed for WooCommerce: from n/a through 2.2.8.
Cross-Site Request Forgery (CSRF) vulnerability in tychesoftwares Print Invoice & Delivery Notes for WooCommerce allows Cross Site Request Forgery. This issue affects Print Invoice & Delivery Notes for WooCommerce: from n/a through 5.5.0.
Missing Authorization vulnerability in Miguel Fuentes Payment QR WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payment QR WooCommerce: from n/a through 1.1.6.
PHP Local File Inclusion (LFI) vulnerability in the WP Shopify plugin (versions up to 1.5.3) that allows authenticated attackers to include and execute arbitrary local files on the web server through improper control of filename parameters in PHP include/require statements. The vulnerability requires low-privilege user access (PR:L) and has moderate attack complexity (AC:H), but results in complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H), making it a significant risk for WordPress sites using this plugin.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chaport Live Chat WP Live Chat + Chatbots Plugin for WordPress - Chaport allows Stored XSS. This issue affects WP Live Chat + Chatbots Plugin for WordPress - Chaport: from n/a through 1.1.5.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Wham All Currencies for WooCommerce woocommerce-all-currencies allows Stored XSS.This issue affects All Currencies for WooCommerce: from n/a through 2.4.3.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in broadly Broadly for WordPress allows Stored XSS. This issue affects Broadly for WordPress: from n/a through 3.0.2.
A remote code execution vulnerability (CVSS 5.3) that allows accessing functionality not properly constrained. Remediation should follow standard vulnerability management procedures.
A Cross-Site Request Forgery (CSRF) vulnerability in Webaholicson Epicwin Plugin versions up to 1.5 allows unauthenticated attackers to perform unauthorized actions via crafted requests. While the CVE description anomalously mentions SQL Injection alongside CSRF, the CVSS vector (CWE-352: CSRF) and vector string indicate the primary threat is CSRF with consequential impacts on confidentiality (High) and availability (Low). The vulnerability requires user interaction (UI:R) and affects confidentiality significantly, making it a material risk for WordPress installations using this plugin, particularly if no active mitigation or patch is available.
Cross-Site Request Forgery (CSRF) vulnerability in storepro Subscription Renewal Reminders for WooCommerce allows Cross Site Request Forgery. This issue affects Subscription Renewal Reminders for WooCommerce: from n/a through 1.3.7.
A cross-site scripting vulnerability in Soli WP Mail Options allows Stored XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.
CSRF vulnerability in mail250 Free WP Mail SMTP (versions up to 1.0) that enables stored XSS attacks, allowing unauthenticated remote attackers to inject malicious scripts via crafted requests. The vulnerability requires user interaction (UI:R) but has network-based attack vector (AV:N) with low complexity (AC:L), affecting WordPress installations using this email plugin. While CVSS 7.1 indicates medium-high severity with confidentiality, integrity, and availability impact, real-world exploitation depends on KEV status, EPSS probability, and public POC availability-data not provided in the source material.
Cross-Site Request Forgery (CSRF) vulnerability in the dilemma123 Recent Posts Slider Responsive WordPress plugin (versions through 1.0.1) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads, which execute in the browsers of site administrators and visitors, potentially leading to account compromise, malware distribution, or defacement. The vulnerability requires user interaction (UI:R) but has network-accessible attack surface (AV:N) with moderate CVSS score of 7.1 and should be prioritized for patched WordPress installations running vulnerable plugin versions.
Cross-Site Request Forgery (CSRF) vulnerability in the wphobby Backwp WordPress plugin (versions through 2.0.2) that enables path traversal attacks. An unauthenticated remote attacker can exploit this via a crafted web request to perform unauthorized actions and potentially access sensitive files outside intended directories. While the CVSS score of 7.4 indicates high severity with availability impact, the vulnerability requires user interaction (UI:R) and affects availability rather than confidentiality or integrity, suggesting moderate real-world exploitability.
Cross-Site Request Forgery (CSRF) vulnerability in the codedraft Mediabay WordPress plugin (versions up to 1.4) that enables reflected XSS attacks. Attackers can exploit this network-accessible vulnerability without authentication to perform unauthorized actions on behalf of authenticated users and inject malicious scripts, affecting WordPress installations using this media library plugin. The CVSS 7.1 score and absence of KEV/active exploitation data suggest moderate real-world risk with UI interaction required.
A remote code execution vulnerability (CVSS 5.4). Remediation should follow standard vulnerability management procedures.
SQL injection vulnerability in the WP Post Corrector WordPress plugin (versions up to 1.0.2) that allows authenticated attackers with high privileges to execute arbitrary SQL queries, potentially leading to unauthorized data disclosure and limited service disruption. The vulnerability requires administrator-level access to exploit, significantly limiting its immediate threat surface, though it could be chained with privilege escalation attacks.
The Simple History plugin for WordPress is vulnerable to sensitive data exposure via Detective Mode due to improper sanitization within the append_debug_info_to_context() function in versions prior to 5.8.1. When Detective Mode is enabled, the plugin’s logger captures the entire contents of $_POST (and sometimes raw request bodies or $_GET) without redacting any password‐related keys. As a result, whenever a user submits a login form, whether via native wp_login or a third‐party login widget, their actual password is written in clear text into the logs. An authenticated attacker or any user whose actions generate a login event will have their password recorded; an administrator (or anyone with database read access) can then read those logs and retrieve every captured password.
The Domain For Sale plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class_name’ parameter in all versions up to, and including, 3.0.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A deserialization vulnerability in Teastudio (CVSS 8.8). High severity vulnerability requiring prompt remediation.
The StageShow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘anchor’ parameter in all versions up to, and including, 10.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Developer Formatter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2015.0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
The Paged Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gallery' shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WordPress Ajax Load More and Infinite Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Hide It plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'hideit' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WP-Addpub plugin for WordPress is vulnerable to SQL Injection via the 'wp-addpub' shortcode in all versions up to, and including, 1.2.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The Runners Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'runnerslog' shortcode in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The BNS Featured Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bnsfc' shortcode in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Freemind Viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'freemind' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The ESV Bible Shortcode for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'esv' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Knowledge Base plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'kbalert' shortcode in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WP Email Debug WordPress plugin (versions 1.0-1.1.0) contains a critical privilege escalation vulnerability (CVE-2025-5486) stemming from missing capability checks in the WPMDBUG_handle_settings() function. Unauthenticated attackers can exploit this to modify plugin settings, redirect administrator emails to attacker-controlled addresses, and trigger password resets to gain full administrative access to affected WordPress installations. The CVSS 9.8 score reflects network-based exploitation with zero complexity and no authentication required, representing a critical severity threat with high real-world exploitation potential.
The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the hs_update_ai_chat_settings() function. This makes it possible for unauthenticated attackers to reconfigure the plugin’s AI/chat settings (including API keys) and to potentially redirect notifications or leak data to attacker-controlled endpoints via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Hive Support WordPress plugin (versions ≤1.2.4) contains missing capability checks in the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions, allowing authenticated Subscriber-level users to read and modify sensitive data including OpenAI API keys, inspection data, and AI chat prompts. With a CVSS score of 7.1 and network-accessible attack vector requiring only user authentication, this vulnerability poses significant risk to WordPress installations using this plugin. The vulnerability may be a duplicate of CVE-2025-32208 or CVE-2025-32242, and patch status and active exploitation metrics are currently unknown.
The WP Online Users Stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation within the hk_dataset_results() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The WP Online Users Stats plugin for WordPress is vulnerable to time-based SQL Injection via the ‘table_name’ parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.7. This is due to missing or incorrect nonce validation in the 'ss_option_maint.php' and 'ss_user_filter_list' files. This makes it possible for unauthenticated attackers to delete pending comments, and re-enable a previously blocked user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
A security vulnerability in all (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
A security vulnerability in all (CVSS 6.4). Remediation should follow standard vulnerability management procedures.
The Short URL WordPress plugin through version 1.6.8 contains a SQL injection vulnerability (CWE-89) in an unsanitized parameter used directly in SQL statements. This vulnerability is exploitable by low-privileged users (subscribers), allowing attackers to extract sensitive database information, modify data, or potentially execute arbitrary code. With a CVSS score of 8.8 and network-accessible attack vector requiring only low privilege level, this represents a critical risk to WordPress installations using vulnerable plugin versions.
A security vulnerability in for WordPress is vulnerable to Full Path Disclosure in all (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
The HyperComments WordPress plugin versions up to 1.2.2 contain a critical missing capability check vulnerability in the hc_request_handler function that allows unauthenticated remote attackers to modify arbitrary WordPress options without authentication. This can be directly exploited to escalate privileges by changing the default registration role to administrator and enabling user registration, granting attackers immediate administrative access to vulnerable sites. With a CVSS score of 9.8 and network-based attack vector requiring no user interaction, this vulnerability poses an extreme risk to any unpatched WordPress installation using the affected plugin.
The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id' and 'data-size’ parameters in all versions up to, and including, 1.44.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
WP User Frontend Pro plugin versions up to 4.1.3 contain an arbitrary file deletion vulnerability in the delete_avatar_ajax() function that allows authenticated Subscriber-level users to delete critical files on WordPress servers without proper path validation. Successful exploitation can lead to remote code execution by deleting sensitive files such as wp-config.php, and the vulnerability is actively exploitable with no user interaction required. This represents a critical post-authentication privilege escalation affecting a widely-used WordPress plugin.
WP User Frontend Pro plugin for WordPress versions up to 4.1.3 contains an arbitrary file upload vulnerability in the upload_files() function due to missing file type validation, allowing authenticated Subscriber-level users to upload malicious files and achieve remote code execution. This vulnerability is particularly dangerous because it requires only Subscriber-level privileges (the lowest authenticated role in WordPress) and no user interaction, making it a high-severity post-authentication attack vector. The vulnerability is conditional on the Private Message module being enabled and requires the Business version of the PRO software.
The Sunshine Photo Cart plugin for WordPress (versions ≤3.4.11) contains an improper key validation vulnerability in its password reset functionality, allowing authenticated attackers with Subscriber-level privileges to perform privilege escalation by resetting arbitrary user passwords, including administrators. With a CVSS score of 8.8 and a low attack complexity (network-accessible, no user interaction required), this vulnerability poses a critical threat to WordPress installations using this plugin. The vulnerability is likely to be actively exploited given the straightforward attack path and the high-value target (admin account takeover).
The File Provider WordPress plugin through 1.2.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
SQL injection in File Provider WordPress plugin through 1.2.3. PoC available.
The Simple Contact Form Plugin for WordPress - WP Easy Contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Campus Directory - Faculty, Staff & Student Directory Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Employee Directory - Staff Listing & Team Directory Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Music Player for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘album_buy_url’ parameter in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Profile Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's user_meta and compare shortcodes in all versions up to, and including, 3.13.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Popup Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘popupID' parameter in all versions up to, and including, 1.20.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A cross-site scripting vulnerability in Secure File Sharing (CVSS 7.2). High severity vulnerability requiring prompt remediation.
The WP Plugin Info Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘containerid’ parameter in all versions up to, and including, 5.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue is due to an incomplete patch for CVE-2025-31835.
The Ultimate Gift Cards for WooCommerce plugin for WordPress is vulnerable to boolean-based SQL Injection via the 'default_price' and 'product_id' parameters in all versions up to, and including, 3.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The Vayu Blocks - Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘containerWidth’ parameter in all versions up to, and including, 1.3.1 due to a missing capability check on the vayu_blocks_option_panel_callback() function and insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Bit File Manager - 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
The Post Slider and Post Carousel with Post Vertical Scrolling Widget WordPress plugin before 3.2.10 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before using them to populate galleries' caption fields. The issue was received as a Contributor+ Stored XSS, however one of our researcher (Marc Montpas) escalated it to an Unauthenticated Stored XSS
The Newsletter WordPress plugin before 8.8.2 does not sanitise and escape some of its Subscription settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Auth bypass account takeover in Golo City Travel Guide WordPress theme.
A cross-site scripting vulnerability in wpForo Advanced Attachments (CVSS 7.2). High severity vulnerability requiring prompt remediation.
A security vulnerability in Broken Link Checker (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
The Ninja Tables - Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited.
The WordPress Comments Import & Export plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings function in all versions up to, and including, 2.4.3. Additionally, the plugin fails to properly sanitize and escape FTP settings parameters. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts on the plugin settings page that will execute whenever an administrative user accesses an injected page. The vulnerability was partially fixed in version 2.4.3 and fully fixed in version 2.4.4
The WP-Optimize WordPress plugin before 4.2.0 does not properly escape user input when checking image compression statuses, which could allow users with the administrator role to conduct SQL Injection attacks in the context of Multi-Site WordPress configurations.
The Real Cookie Banner: GDPR & ePrivacy Cookie Consent WordPress plugin before 5.1.6, real-cookie-banner-pro WordPress plugin before 5.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
The Newsletters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.9.9.9 via the 'file' parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
The Free Booking Plugin for Hotels, Restaurants and Car Rentals - eaSYNC Booking plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.21. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
The Borderless - Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.7.1 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_elementor_data’ parameter in all versions up to, and including, 1.7.1020 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Element Pack Addons for Elementor - Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Product Subtitle for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘htmlTag’ parameter in all versions up to, and including, 1.3.9 due to insufficient. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Offsprout Page Builder plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization placed on the permission_callback() function in versions 2.2.1 to 2.15.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Profitori plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the stocktend_object endpoint in versions 2.0.6.0 to 2.1.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The PSW Front-end Login & Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.12 via the customer_registration() function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The FastSpring plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fastspring/block-fastspringblocks-complete-product-catalog' block in all versions up to, and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Daisycon prijsvergelijkers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'daisycon_uitvaart' shortcode in all versions up to, and including, 4.8.4 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The WP-GeoMeta plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wp_ajax_wpgm_start_geojson_import() function in versions 0.3.4 to 0.3.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Relevanssi - A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Excerpt Highlights in all versions up to, and including, 4.24.5 (Free) and 2.27.6 (Premium). Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Insertion of Sensitive Information Into Sent Data vulnerability in Vanquish WooCommerce Orders & Customers Exporter allows Retrieve Embedded Sensitive Data.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in esigngenie Foxit eSign for WordPress allows Retrieve Embedded Sensitive Data. This issue affects Foxit eSign for WordPress: from n/a through 2.0.3.
Unrestricted Upload of File with Dangerous Type vulnerability in Agile Logix Store Locator WordPress allows Upload a Web Shell to a Web Server. This issue affects Store Locator WordPress: from n/a through 1.5.2.
SQL injection vulnerability in Agile Logix Store Locator WordPress plugin (versions up to 1.5.1) that allows authenticated attackers with high privileges to execute arbitrary SQL commands. The vulnerability has a CVSS score of 7.6 with high confidentiality impact and limited availability impact, though it requires administrative-level privileges to exploit. The scope is changed, indicating potential impact beyond the vulnerable component itself.
SQL Injection vulnerability in GamiPress (a WordPress gamification plugin) affecting versions through 7.4.5. An authenticated attacker with high privileges can execute arbitrary SQL commands to read sensitive database information, potentially compromising data confidentiality and availability. While the CVSS score is 7.6 (high), the attack requires high privileges and there is no public indication of active exploitation in the wild.
A remote code execution vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
PHP Local File Inclusion (LFI) vulnerability in WP Travel Engine affecting versions through 6.5.1. An authenticated attacker with low privileges can exploit improper filename control in PHP include/require statements to read arbitrary files from the server, potentially obtaining sensitive configuration data, credentials, or source code. While the CVSS score is moderate (7.5), the vulnerability requires authentication and higher attack complexity, but successful exploitation could lead to complete information disclosure and potential privilege escalation.
PHP Local File Inclusion (LFI) vulnerability in Magazine3's WP Multilang plugin versions up to 2.4.19, stemming from improper control of filenames in PHP include/require statements. An authenticated attacker with low privileges can exploit this vulnerability to read arbitrary local files on the affected WordPress server, potentially leading to information disclosure, code execution, or system compromise. The CVSS score of 7.5 reflects high confidentiality and integrity impact, though exploitation requires valid credentials and non-standard conditions (AC:H).
Missing Authorization vulnerability in WebToffee Product Feed for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product Feed for WooCommerce: from n/a through 2.2.8.
Cross-Site Request Forgery (CSRF) vulnerability in tychesoftwares Print Invoice & Delivery Notes for WooCommerce allows Cross Site Request Forgery. This issue affects Print Invoice & Delivery Notes for WooCommerce: from n/a through 5.5.0.
Missing Authorization vulnerability in Miguel Fuentes Payment QR WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payment QR WooCommerce: from n/a through 1.1.6.
PHP Local File Inclusion (LFI) vulnerability in the WP Shopify plugin (versions up to 1.5.3) that allows authenticated attackers to include and execute arbitrary local files on the web server through improper control of filename parameters in PHP include/require statements. The vulnerability requires low-privilege user access (PR:L) and has moderate attack complexity (AC:H), but results in complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H), making it a significant risk for WordPress sites using this plugin.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chaport Live Chat WP Live Chat + Chatbots Plugin for WordPress - Chaport allows Stored XSS. This issue affects WP Live Chat + Chatbots Plugin for WordPress - Chaport: from n/a through 1.1.5.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Wham All Currencies for WooCommerce woocommerce-all-currencies allows Stored XSS.This issue affects All Currencies for WooCommerce: from n/a through 2.4.3.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in broadly Broadly for WordPress allows Stored XSS. This issue affects Broadly for WordPress: from n/a through 3.0.2.
A remote code execution vulnerability (CVSS 5.3) that allows accessing functionality not properly constrained. Remediation should follow standard vulnerability management procedures.
A Cross-Site Request Forgery (CSRF) vulnerability in Webaholicson Epicwin Plugin versions up to 1.5 allows unauthenticated attackers to perform unauthorized actions via crafted requests. While the CVE description anomalously mentions SQL Injection alongside CSRF, the CVSS vector (CWE-352: CSRF) and vector string indicate the primary threat is CSRF with consequential impacts on confidentiality (High) and availability (Low). The vulnerability requires user interaction (UI:R) and affects confidentiality significantly, making it a material risk for WordPress installations using this plugin, particularly if no active mitigation or patch is available.
Cross-Site Request Forgery (CSRF) vulnerability in storepro Subscription Renewal Reminders for WooCommerce allows Cross Site Request Forgery. This issue affects Subscription Renewal Reminders for WooCommerce: from n/a through 1.3.7.
A cross-site scripting vulnerability in Soli WP Mail Options allows Stored XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.
CSRF vulnerability in mail250 Free WP Mail SMTP (versions up to 1.0) that enables stored XSS attacks, allowing unauthenticated remote attackers to inject malicious scripts via crafted requests. The vulnerability requires user interaction (UI:R) but has network-based attack vector (AV:N) with low complexity (AC:L), affecting WordPress installations using this email plugin. While CVSS 7.1 indicates medium-high severity with confidentiality, integrity, and availability impact, real-world exploitation depends on KEV status, EPSS probability, and public POC availability-data not provided in the source material.
Cross-Site Request Forgery (CSRF) vulnerability in the dilemma123 Recent Posts Slider Responsive WordPress plugin (versions through 1.0.1) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads, which execute in the browsers of site administrators and visitors, potentially leading to account compromise, malware distribution, or defacement. The vulnerability requires user interaction (UI:R) but has network-accessible attack surface (AV:N) with moderate CVSS score of 7.1 and should be prioritized for patched WordPress installations running vulnerable plugin versions.
Cross-Site Request Forgery (CSRF) vulnerability in the wphobby Backwp WordPress plugin (versions through 2.0.2) that enables path traversal attacks. An unauthenticated remote attacker can exploit this via a crafted web request to perform unauthorized actions and potentially access sensitive files outside intended directories. While the CVSS score of 7.4 indicates high severity with availability impact, the vulnerability requires user interaction (UI:R) and affects availability rather than confidentiality or integrity, suggesting moderate real-world exploitability.
Cross-Site Request Forgery (CSRF) vulnerability in the codedraft Mediabay WordPress plugin (versions up to 1.4) that enables reflected XSS attacks. Attackers can exploit this network-accessible vulnerability without authentication to perform unauthorized actions on behalf of authenticated users and inject malicious scripts, affecting WordPress installations using this media library plugin. The CVSS 7.1 score and absence of KEV/active exploitation data suggest moderate real-world risk with UI interaction required.
A remote code execution vulnerability (CVSS 5.4). Remediation should follow standard vulnerability management procedures.
SQL injection vulnerability in the WP Post Corrector WordPress plugin (versions up to 1.0.2) that allows authenticated attackers with high privileges to execute arbitrary SQL queries, potentially leading to unauthorized data disclosure and limited service disruption. The vulnerability requires administrator-level access to exploit, significantly limiting its immediate threat surface, though it could be chained with privilege escalation attacks.
The Simple History plugin for WordPress is vulnerable to sensitive data exposure via Detective Mode due to improper sanitization within the append_debug_info_to_context() function in versions prior to 5.8.1. When Detective Mode is enabled, the plugin’s logger captures the entire contents of $_POST (and sometimes raw request bodies or $_GET) without redacting any password‐related keys. As a result, whenever a user submits a login form, whether via native wp_login or a third‐party login widget, their actual password is written in clear text into the logs. An authenticated attacker or any user whose actions generate a login event will have their password recorded; an administrator (or anyone with database read access) can then read those logs and retrieve every captured password.
The Domain For Sale plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class_name’ parameter in all versions up to, and including, 3.0.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A deserialization vulnerability in Teastudio (CVSS 8.8). High severity vulnerability requiring prompt remediation.
The StageShow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘anchor’ parameter in all versions up to, and including, 10.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Developer Formatter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2015.0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
The Paged Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gallery' shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WordPress Ajax Load More and Infinite Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Hide It plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'hideit' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WP-Addpub plugin for WordPress is vulnerable to SQL Injection via the 'wp-addpub' shortcode in all versions up to, and including, 1.2.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The Runners Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'runnerslog' shortcode in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The BNS Featured Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bnsfc' shortcode in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Freemind Viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'freemind' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The ESV Bible Shortcode for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'esv' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Knowledge Base plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'kbalert' shortcode in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The WP Email Debug WordPress plugin (versions 1.0-1.1.0) contains a critical privilege escalation vulnerability (CVE-2025-5486) stemming from missing capability checks in the WPMDBUG_handle_settings() function. Unauthenticated attackers can exploit this to modify plugin settings, redirect administrator emails to attacker-controlled addresses, and trigger password resets to gain full administrative access to affected WordPress installations. The CVSS 9.8 score reflects network-based exploitation with zero complexity and no authentication required, representing a critical severity threat with high real-world exploitation potential.
The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the hs_update_ai_chat_settings() function. This makes it possible for unauthenticated attackers to reconfigure the plugin’s AI/chat settings (including API keys) and to potentially redirect notifications or leak data to attacker-controlled endpoints via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Hive Support WordPress plugin (versions ≤1.2.4) contains missing capability checks in the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions, allowing authenticated Subscriber-level users to read and modify sensitive data including OpenAI API keys, inspection data, and AI chat prompts. With a CVSS score of 7.1 and network-accessible attack vector requiring only user authentication, this vulnerability poses significant risk to WordPress installations using this plugin. The vulnerability may be a duplicate of CVE-2025-32208 or CVE-2025-32242, and patch status and active exploitation metrics are currently unknown.
The WP Online Users Stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation within the hk_dataset_results() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The WP Online Users Stats plugin for WordPress is vulnerable to time-based SQL Injection via the ‘table_name’ parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.7. This is due to missing or incorrect nonce validation in the 'ss_option_maint.php' and 'ss_user_filter_list' files. This makes it possible for unauthenticated attackers to delete pending comments, and re-enable a previously blocked user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
A security vulnerability in all (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
A security vulnerability in all (CVSS 6.4). Remediation should follow standard vulnerability management procedures.
The Short URL WordPress plugin through version 1.6.8 contains a SQL injection vulnerability (CWE-89) in an unsanitized parameter used directly in SQL statements. This vulnerability is exploitable by low-privileged users (subscribers), allowing attackers to extract sensitive database information, modify data, or potentially execute arbitrary code. With a CVSS score of 8.8 and network-accessible attack vector requiring only low privilege level, this represents a critical risk to WordPress installations using vulnerable plugin versions.
A security vulnerability in for WordPress is vulnerable to Full Path Disclosure in all (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
The HyperComments WordPress plugin versions up to 1.2.2 contain a critical missing capability check vulnerability in the hc_request_handler function that allows unauthenticated remote attackers to modify arbitrary WordPress options without authentication. This can be directly exploited to escalate privileges by changing the default registration role to administrator and enabling user registration, granting attackers immediate administrative access to vulnerable sites. With a CVSS score of 9.8 and network-based attack vector requiring no user interaction, this vulnerability poses an extreme risk to any unpatched WordPress installation using the affected plugin.
The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id' and 'data-size’ parameters in all versions up to, and including, 1.44.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
WP User Frontend Pro plugin versions up to 4.1.3 contain an arbitrary file deletion vulnerability in the delete_avatar_ajax() function that allows authenticated Subscriber-level users to delete critical files on WordPress servers without proper path validation. Successful exploitation can lead to remote code execution by deleting sensitive files such as wp-config.php, and the vulnerability is actively exploitable with no user interaction required. This represents a critical post-authentication privilege escalation affecting a widely-used WordPress plugin.
WP User Frontend Pro plugin for WordPress versions up to 4.1.3 contains an arbitrary file upload vulnerability in the upload_files() function due to missing file type validation, allowing authenticated Subscriber-level users to upload malicious files and achieve remote code execution. This vulnerability is particularly dangerous because it requires only Subscriber-level privileges (the lowest authenticated role in WordPress) and no user interaction, making it a high-severity post-authentication attack vector. The vulnerability is conditional on the Private Message module being enabled and requires the Business version of the PRO software.
The Sunshine Photo Cart plugin for WordPress (versions ≤3.4.11) contains an improper key validation vulnerability in its password reset functionality, allowing authenticated attackers with Subscriber-level privileges to perform privilege escalation by resetting arbitrary user passwords, including administrators. With a CVSS score of 8.8 and a low attack complexity (network-accessible, no user interaction required), this vulnerability poses a critical threat to WordPress installations using this plugin. The vulnerability is likely to be actively exploited given the straightforward attack path and the high-value target (admin account takeover).
The File Provider WordPress plugin through 1.2.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
SQL injection in File Provider WordPress plugin through 1.2.3. PoC available.
The Simple Contact Form Plugin for WordPress - WP Easy Contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Campus Directory - Faculty, Staff & Student Directory Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Employee Directory - Staff Listing & Team Directory Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Music Player for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘album_buy_url’ parameter in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Profile Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's user_meta and compare shortcodes in all versions up to, and including, 3.13.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Popup Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘popupID' parameter in all versions up to, and including, 1.20.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A cross-site scripting vulnerability in Secure File Sharing (CVSS 7.2). High severity vulnerability requiring prompt remediation.
The WP Plugin Info Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘containerid’ parameter in all versions up to, and including, 5.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue is due to an incomplete patch for CVE-2025-31835.
The Ultimate Gift Cards for WooCommerce plugin for WordPress is vulnerable to boolean-based SQL Injection via the 'default_price' and 'product_id' parameters in all versions up to, and including, 3.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The Vayu Blocks - Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘containerWidth’ parameter in all versions up to, and including, 1.3.1 due to a missing capability check on the vayu_blocks_option_panel_callback() function and insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Bit File Manager - 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
The Post Slider and Post Carousel with Post Vertical Scrolling Widget WordPress plugin before 3.2.10 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before using them to populate galleries' caption fields. The issue was received as a Contributor+ Stored XSS, however one of our researcher (Marc Montpas) escalated it to an Unauthenticated Stored XSS
The Newsletter WordPress plugin before 8.8.2 does not sanitise and escape some of its Subscription settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Auth bypass account takeover in Golo City Travel Guide WordPress theme.
A cross-site scripting vulnerability in wpForo Advanced Attachments (CVSS 7.2). High severity vulnerability requiring prompt remediation.
A security vulnerability in Broken Link Checker (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
The Ninja Tables - Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited.
The WordPress Comments Import & Export plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings function in all versions up to, and including, 2.4.3. Additionally, the plugin fails to properly sanitize and escape FTP settings parameters. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts on the plugin settings page that will execute whenever an administrative user accesses an injected page. The vulnerability was partially fixed in version 2.4.3 and fully fixed in version 2.4.4
The WP-Optimize WordPress plugin before 4.2.0 does not properly escape user input when checking image compression statuses, which could allow users with the administrator role to conduct SQL Injection attacks in the context of Multi-Site WordPress configurations.
The Real Cookie Banner: GDPR & ePrivacy Cookie Consent WordPress plugin before 5.1.6, real-cookie-banner-pro WordPress plugin before 5.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
The Newsletters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.9.9.9 via the 'file' parameter. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
The Free Booking Plugin for Hotels, Restaurants and Car Rentals - eaSYNC Booking plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.21. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
The Borderless - Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.7.1 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_elementor_data’ parameter in all versions up to, and including, 1.7.1020 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Element Pack Addons for Elementor - Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Product Subtitle for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘htmlTag’ parameter in all versions up to, and including, 1.3.9 due to insufficient. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Offsprout Page Builder plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization placed on the permission_callback() function in versions 2.2.1 to 2.15.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Profitori plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the stocktend_object endpoint in versions 2.0.6.0 to 2.1.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The PSW Front-end Login & Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.12 via the customer_registration() function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The FastSpring plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fastspring/block-fastspringblocks-complete-product-catalog' block in all versions up to, and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Daisycon prijsvergelijkers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'daisycon_uitvaart' shortcode in all versions up to, and including, 4.8.4 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The WP-GeoMeta plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wp_ajax_wpgm_start_geojson_import() function in versions 0.3.4 to 0.3.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Relevanssi - A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Excerpt Highlights in all versions up to, and including, 4.24.5 (Free) and 2.27.6 (Premium). Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Insertion of Sensitive Information Into Sent Data vulnerability in Vanquish WooCommerce Orders & Customers Exporter allows Retrieve Embedded Sensitive Data.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.