WordPress

The The Contact Form, Survey, Quiz & Popup Form Builder - ARForms plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.2. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

The Sheets2Table WordPress plugin versions up to 0.4.1 contain a Stored Cross-Site Scripting (XSS) vulnerability in the [sheets2table-render-table] shortcode's 'titles' attribute, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript that executes for all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the display_table_header() function, where user-supplied shortcode attributes are echoed directly into HTML without proper escaping mechanisms such as esc_html().

The Lobot Slider Administrator WordPress plugin (versions up to 0.6.0) contains a Cross-Site Request Forgery (CSRF) vulnerability in the fourty_slider_options_page function due to missing or incorrect nonce validation. This allows unauthenticated attackers to modify plugin slider-page configuration by tricking site administrators into clicking malicious links, potentially altering slider settings and website presentation. The vulnerability carries a moderate CVSS score of 4.3 with low attack complexity, requiring only user interaction and no privileges.

The MimeTypes Link Icons plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability affecting all versions up to and including 3.2.20. Authenticated attackers with Contributor-level access or higher can exploit this flaw when the 'Show file size' option is enabled by embedding crafted links in post content, allowing them to make arbitrary HTTP requests from the server to internal or external resources. This enables querying and potentially modifying information from internal services that should not be accessible from the public internet.

The Vagaro Booking Widget plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'vagaro_code' parameter affecting all versions up to and including 0.3. Unauthenticated attackers can inject malicious JavaScript that executes whenever any user visits the compromised page, potentially leading to session hijacking, credential theft, or further site compromise. The CVSS score of 7.2 reflects network-based exploitation with no authentication required and changed scope, indicating the attack can affect resources beyond the vulnerable component.

The SR WP Minify HTML plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation in the sr_minify_html_theme() function, affecting all versions up to and including 2.1. An unauthenticated attacker can exploit this vulnerability to modify plugin settings by tricking a site administrator into clicking a malicious link, potentially allowing unauthorized changes to site minification configuration. While the CVSS score of 4.3 is moderate and no KEV status or active exploitation has been confirmed, the vulnerability remains exploitable against WordPress installations with this plugin active.

The REST API TO MiniProgram plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated attackers with Subscriber-level access to modify arbitrary users' WeChat shop metadata by exploiting a permission validation flaw. The vulnerability affects all versions up to and including 5.1.2, where the permission callback validates one parameter (openid) but the actual modification function uses a different attacker-controlled parameter (userid) without cross-validation. Attackers can exploit this via the REST API to alter storeinfo, storeappid, and storename fields for any user account, potentially disrupting store operations or impersonating legitimate shop owners.

The Appmax WordPress plugin versions up to 1.0.3 contain an improper input validation vulnerability in its public REST API webhook endpoint at /webhook-system that fails to authenticate, verify signatures, or validate the authenticity of incoming webhook requests. Unauthenticated attackers can exploit this by crafting malicious webhook payloads to modify existing WooCommerce order statuses, create arbitrary new orders and products with attacker-controlled data, and inject arbitrary metadata into orders. With a CVSS score of 5.3 (medium severity), an CVSS vector indicating network accessibility with low attack complexity and no authentication required, and confirmed vulnerability references in the official WordPress plugin repository, this vulnerability poses a significant integrity risk to e-commerce sites using the affected plugin.

The WP Games Embed WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to 0.1beta due to insufficient input sanitization and output escaping of shortcode attributes. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript through shortcode parameters such as 'width', 'height', 'src', 'title', 'description', 'game_url', 'main', and 'thumb', which are directly concatenated into HTML output without escaping. When other users visit pages containing the malicious shortcode, the injected scripts execute in their browsers, potentially allowing session hijacking, credential theft, or malware distribution.

The Xhanch - My Advanced Settings WordPress plugin (versions up to 1.1.2) contains a Cross-Site Request Forgery vulnerability in its settings update handler due to missing nonce validation, allowing unauthenticated attackers to modify plugin settings if they can trick an administrator into clicking a malicious link. The vulnerability is particularly dangerous because unescaped output of the `favicon_url` and `ga_acc_id` settings enables a CSRF-to-Stored XSS chain, where injected payloads persist and affect all site visitors. While no active exploitation in the wild has been confirmed in public records and the CVSS score of 4.3 is relatively low, the attack requires only user interaction and results in stored cross-site scripting on the front-end.

The Quentn WP plugin for WordPress contains an SQL Injection vulnerability that allows unauthenticated attackers to extract sensitive database information through a malicious 'qntn_wp_access' cookie value. All versions up to and including 1.2.12 are affected. With a CVSS score of 7.5 and requiring no authentication or user interaction, this represents a significant risk for WordPress sites using this plugin, though no active exploitation (KEV) or public proof-of-concept has been documented at this time.

UiPress lite plugin for WordPress through version 3.5.09 fails to validate user permissions on the global settings modification function, allowing authenticated subscribers and higher-privileged users to arbitrarily alter plugin configurations. This insufficient access control enables attackers to modify sensitive settings despite lacking administrative rights. A patch is not currently available.

The Group Chat & Video Chat by AtomChat WordPress plugin (versions up to 1.1.7) contains a missing capability check vulnerability in the 'atomchat_update_auth_ajax' and 'atomchat_update_layout_ajax' AJAX handlers, allowing authenticated Subscriber-level users and above to arbitrarily modify plugin options including API keys and authentication credentials. With a CVSS score of 5.3 and network-based attack vector requiring only authentication (not admin privileges), this represents a medium-severity privilege escalation and configuration tampering issue affecting WordPress installations using this plugin. No evidence of active exploitation in the wild has been documented at this time, though the straightforward nature of the vulnerability (missing capability checks) suggests proof-of-concept code could be easily developed.

The Any Post Slider WordPress plugin versions up to 1.0.4 contain a Stored Cross-Site Scripting (XSS) vulnerability in the aps_slider shortcode due to insufficient input sanitization and output escaping on the 'post_type' attribute. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that persists in pages and executes for all users who view the injected content. With a CVSS score of 6.4 and attack complexity marked as low, this represents a moderate-severity threat primarily affecting multi-user WordPress installations where contributor access is delegated.

The Build App Online WordPress plugin contains an authentication bypass vulnerability in the 'build-app-online-update-vendor-product' AJAX action that allows unauthenticated attackers to modify post metadata without authorization. Affected versions are up to and including 1.0.23 as confirmed via CPE (cpe:2.3:a:hakeemnala:build_app_online). Attackers can orphan posts by setting the post_author field to 0 or, if authenticated, claim ownership of arbitrary posts by reassigning authorship, resulting in unauthorized content modification with medium integrity impact (CVSS 5.3).

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Tour & Activity Operator Plugin for TourCMS (all versions up to 1.7.0) affecting WordPress installations. The vulnerability resides in the 'target' parameter of the tourcms_doc_link shortcode, where insufficient input sanitization and output escaping allows authenticated attackers with Contributor-level privileges and above to inject arbitrary JavaScript code that executes in the browsers of users visiting affected pages. With a CVSS score of 6.4 and network-based attack vector requiring only low privileges, this represents a moderate but exploitable risk to WordPress sites using this plugin.

The Survey plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in administrative settings due to insufficient input sanitization and output escaping, affecting all versions up to and including 1.1. Authenticated attackers with administrator-level permissions can inject arbitrary JavaScript code that executes when users access affected pages, though this is restricted to multi-site installations or those with unfiltered_html disabled. With a CVSS score of 4.4 and high attack complexity requiring administrator privileges, the real-world risk is moderate; no public exploit code or KEV status has been indicated, making this a lower-priority remediation compared to critical vulnerabilities.

The Company Posts for LinkedIn WordPress plugin (versions up to 1.0.0) contains a missing authorization vulnerability in the linkedin_company_post_reset_handler() function that allows authenticated attackers with Subscriber-level privileges to delete LinkedIn post data from the site's options table without proper capability checks. This is a privilege escalation flaw where low-privileged users can perform administrative actions. While the CVSS score is moderate at 4.3 and reflects limited integrity impact without confidentiality or availability concerns, the vulnerability enables unauthorized modification of site configuration data by any authenticated user.

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Go Night Pro WordPress Dark Mode Plugin affecting all versions up to and including 1.1.0, where the 'margin' attribute of the 'go-night-pro-shortcode' shortcode fails to properly sanitize and escape user input. Authenticated attackers with contributor-level access or above can inject arbitrary JavaScript code into pages, which executes when other users access the affected pages. This vulnerability carries a CVSS score of 6.4 (Medium) with network-based attack vector and low complexity, requiring valid WordPress credentials but affecting site-wide script execution with potential impact on user data and site integrity.

The Simple Football Scoreboard plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'ytmr_fb_scoreboard' shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. All versions up to and including 1.0 are affected, allowing authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript that executes for all users viewing the compromised page. With a CVSS score of 6.4 and network-based attack vector requiring only low privileges, this represents a moderate but exploitable threat to WordPress sites using this plugin.

The WP-WebAuthn WordPress plugin contains an unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in the wwa_auth AJAX endpoint that allows attackers to inject arbitrary JavaScript into the plugin's log page. Affected are all versions up to and including 1.3.4 of the plugin (identified via CPE cpe:2.3:a:axton:wp-webauthn:*:*:*:*:*:*:*:*), which is exploitable only when logging is enabled in plugin settings. The vulnerability stems from insufficient input sanitization and output escaping of user-supplied attributes, enabling persistent XSS execution whenever administrators or authorized users access the logging interface.

The Alfie - Feed Plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'naam' parameter of the alfie_option_page() function, affecting all versions up to and including 1.2.1. The vulnerability stems from missing nonce validation combined with insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject malicious scripts that persist in the plugin's database and execute when users view affected pages. An attacker must successfully social engineer a site administrator into clicking a malicious link, but once exploited, the payload executes with the privileges of any user accessing the compromised page, making this a moderate-risk vulnerability with a CVSS score of 6.1.

Ed's Font Awesome plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the eds_font_awesome shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. All versions up to and including 2.0 are affected, allowing authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript that persists in pages and executes for all users viewing those pages. No evidence of active exploitation in the wild (KEV status unknown), but the vulnerability is straightforward to exploit given contributor access and represents a persistent compromise vector.

The Reward Video Ad for WordPress plugin (all versions up to 1.6) contains a Stored Cross-Site Scripting (XSS) vulnerability in its admin settings due to insufficient input sanitization and output escaping on fields including Account ID, Message before the video, and color parameters. This allows authenticated administrators to inject arbitrary JavaScript that executes whenever any user accesses an affected page, potentially compromising site visitors. The vulnerability requires Administrator-level access to exploit, limiting the attack surface to high-privilege accounts, though once injected, the malicious scripts execute with no further user interaction required.

The fyyd podcast shortcodes plugin for WordPress contains a Stored Cross-Site Scripting vulnerability affecting all versions up to and including 0.3.1, where shortcode attributes (color, podcast_id, podcast_slug) are improperly concatenated into inline JavaScript without sanitization or escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes for all users viewing affected pages, allowing session hijacking, credential theft, or malware distribution. The CVSS 6.4 score reflects moderate risk with network-accessible attack vector and low complexity, though exploitation requires prior authentication.

The Speedup Optimization plugin for WordPress contains a missing authorization vulnerability in the `speedup01_ajax_enabled()` AJAX handler that fails to verify user capabilities or nonce tokens, allowing authenticated attackers with Subscriber-level privileges to enable or disable the site's optimization module. Affected versions include all releases up to and including 1.5.9, as documented by Wordfence. While the CVSS score of 5.3 is moderate, the vulnerability represents a clear authorization bypass that could allow low-privileged attackers to degrade site performance or disable security-relevant optimization features.

The WPFAQBlock plugin for WordPress contains a Stored Cross-Site Scripting vulnerability in the 'class' parameter of the 'wpfaqblock' shortcode, affecting all versions up to and including 1.1. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that persists in pages and executes for all users visiting those pages. With a CVSS score of 6.4 and low attack complexity, this represents a moderate-to-significant risk for WordPress installations using this plugin, particularly on multi-author sites where contributor accounts may be compromised or malicious.

The Post Affiliate Pro WordPress plugin versions up to 1.28.0 contain a Server-Side Request Forgery (SSRF) vulnerability that allows authenticated administrators to make arbitrary outbound web requests from the affected server and read response content. An attacker with administrator-level access can exploit this to interact with internal services, exfiltrate data, or pivot to other systems. Wordfence has confirmed exploitation via external Collaborator endpoints, and the CVSS 6.5 score reflects moderate severity with low attack complexity.

The WP-Chatbot for Messenger WordPress plugin versions up to 4.9 contains an authorization bypass vulnerability that allows unauthenticated attackers to overwrite critical chatbot configuration options, specifically the MobileMonkey API token and company ID. This enables attackers to hijack the site's chatbot functionality and redirect visitor conversations to attacker-controlled accounts without requiring any authentication or user interaction. The vulnerability has a CVSS score of 5.3 with a network attack vector and no privilege requirements, making it readily exploitable by any remote attacker.

The Ad Short WordPress plugin versions up to 2.0.1 contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'ad' shortcode's 'client' attribute that allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript code into pages. The vulnerability results from insufficient input sanitization and output escaping in the ad_func() shortcode handler, which directly concatenates user-supplied input into HTML attributes without applying proper escaping functions like esc_attr(). When affected pages are visited by other users, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution.

The rexCrawler WordPress plugin contains a Reflected Cross-Site Scripting (XSS) vulnerability in the search-pattern tester page that allows unauthenticated attackers to inject arbitrary web scripts via inadequately sanitized 'url' and 'regex' parameters. Affected versions are up to and including 1.0.15 (CPE: cpe:2.3:a:larsdrasmussen:rexcrawler:*:*:*:*:*:*:*:*), with exploitation requiring social engineering to trick administrators into clicking a malicious link. This vulnerability is limited to WordPress multisite installations or sites where the unfiltered_html capability has been disabled, and carries a CVSS v3.1 score of 6.1 with an AV:N/AC:L/PR:N/UI:R/S:C profile indicating network-based exploitation with user interaction required.

The Outgrow WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.1, affecting the 'id' attribute of the 'outgrow' shortcode due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access and above can inject arbitrary JavaScript that executes for all users viewing affected pages. With a CVSS score of 6.4 and moderate attack complexity, this vulnerability poses a real threat to WordPress sites using this plugin, as privilege escalation through stored XSS could enable further compromise.

The iVysilani Shortcode WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'width' shortcode attribute due to insufficient input sanitization and output escaping. All versions up to and including 3.0 are affected, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript that persists in page content and executes for all subsequent site visitors. The vulnerability has been documented by Wordfence with proof-of-concept code available in the WordPress plugin repository, presenting a significant risk to WordPress installations relying on this plugin.

The Ecover Builder For Dummies WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'id' parameter of the 'ecover' shortcode due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that persists in page content and executes for all users viewing the affected page. With a CVSS score of 6.4 and confirmed by Wordfence, this vulnerability enables privilege escalation and defacement attacks within WordPress environments.

The Redirect Countdown WordPress plugin for all versions up to and including 1.0 contains a Cross-Site Request Forgery vulnerability in the countdown_settings_content() function due to missing nonce validation. An unauthenticated attacker can trick a site administrator into clicking a malicious link to modify critical plugin settings including countdown timeout, redirect URL, and custom text. With a CVSS score of 4.3 and network-accessible attack vector, this vulnerability has moderate real-world impact despite low baseline severity, as it directly affects site functionality and user experience.

The WP Posts Re-order WordPress plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.0 due to missing nonce validation in the cpt_plugin_options() function. An unauthenticated attacker can exploit this to modify critical plugin settings including capability, autosort, and adminsort configurations by tricking a site administrator into clicking a malicious link. The vulnerability has a CVSS score of 4.3 (medium severity) with low attack complexity and requires user interaction, and while no public exploit code has been reported, the straightforward nature of CSRF attacks means proof-of-concept development is trivial.

The Add Google Social Profiles to Knowledge Graph Box WordPress plugin (all versions up to 1.0) contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation on its settings update functionality. An unauthenticated attacker can forge malicious requests to modify the plugin's Knowledge Graph settings if they can trick a site administrator into clicking a malicious link. While the CVSS score of 4.3 is moderate, the attack requires user interaction and has no confidentiality impact, making it a lower-severity real-world threat despite being easily exploitable.

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Post Flagger WordPress plugin for all versions up to and including 1.1, caused by insufficient input sanitization and output escaping in the 'flag' shortcode's user-supplied attributes. Authenticated attackers with contributor-level access or higher can inject arbitrary JavaScript code into pages, which executes for all users who view those pages. This vulnerability has a CVSS score of 6.4 (Medium) and is confirmed in the WordPress plugin repository; no evidence of active exploitation or public proof-of-concept is currently documented, but the straightforward nature of the vulnerability suggests exploitation potential.

The WP NG Weather plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'ng-weather' shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. All versions up to and including 1.0.9 are affected, allowing authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript that executes when users visit pages containing the malicious shortcode. With a CVSS score of 6.4 and network-accessible attack vector, this vulnerability poses a moderate risk to WordPress installations using this plugin.

The Linksy Search and Replace plugin for WordPress versions up to 1.0.4 contains a missing capability check vulnerability that allows authenticated attackers with subscriber-level access or higher to modify arbitrary database tables. Attackers can exploit this to elevate their privileges to administrator by modifying the wp_capabilities field, achieving complete site takeover. With a CVSS score of 8.8 (High), this represents a critical privilege escalation vulnerability affecting authenticated users with minimal access.

The WP Random Button WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.0 affecting all installations of this plugin. Authenticated attackers with Contributor-level or higher privileges can inject arbitrary JavaScript code through improperly sanitized shortcode attributes ('cat', 'nocat', and 'text'), which will execute in the browsers of any user viewing the affected pages. With a CVSS score of 6.4 and network-accessible attack vector requiring only low-privileged authenticated access, this vulnerability poses a moderate but realistic risk to WordPress sites using this plugin, particularly those with contributor-level user accounts or where user roles are not carefully managed.

The App Builder - Create Native Android & iOS Apps On The Flight WordPress plugin up to version 5.5.10 contains a privilege escalation vulnerability in its REST API registration endpoint that allows unauthenticated attackers to register accounts with the wcfm_vendor role, bypassing WCFM Marketplace's vendor approval workflow. The verify_role() function in AuthTrails.php explicitly whitelists the wcfm_vendor role without proper authorization checks, enabling attackers to immediately gain vendor-level privileges including product management, order access, and store management on affected WordPress installations. This vulnerability has a CVSS score of 6.5 with low attack complexity and no authentication requirements, making it a moderate-to-significant risk for WordPress sites using both this plugin and WCFM Marketplace.

The Fonts Manager | Custom Fonts plugin for WordPress contains a time-based SQL injection vulnerability in versions up to and including 1.2. Unauthenticated attackers can exploit the vulnerable 'fmcfIdSelectedFnt' parameter to extract sensitive database information without requiring any privileges or user interaction. The vulnerability has a CVSS score of 7.5, indicating high confidentiality impact, though no KEV listing or EPSS score is provided in the available data.

The SurveyJS WordPress plugin contains a stored cross-site scripting (XSS) vulnerability affecting all versions up to and including 2.5.3. Unauthenticated attackers can submit malicious HTML-encoded payloads through public survey forms that execute when administrators view survey results in the WordPress admin dashboard. With a CVSS score of 7.2 and no authentication required, this represents a significant risk to WordPress sites using this plugin.

The Canto plugin for WordPress (versions up to 3.1.1) contains a critical missing authorization vulnerability in the copy-media.php file and related endpoints that allows unauthenticated attackers to upload arbitrary files to the WordPress uploads directory. The vulnerability stems from multiple PHP files being directly accessible without authentication, nonce validation, or authorization checks, while also accepting attacker-controlled parameters for API endpoints and domain configuration. An attacker can exploit this to upload malicious files (within WordPress MIME type constraints) or redirect legitimate file operations to attacker-controlled infrastructure, potentially leading to remote code execution or site compromise.

The Smarter Analytics WordPress plugin (all versions up to 2.0) contains an authentication bypass vulnerability that allows unauthenticated attackers to reset plugin configuration and delete all analytics settings via the 'reset' parameter in the global scope of smarter-analytics.php. This is a missing authentication and capability check vulnerability (CWE-862) with a CVSS score of 5.3, classified as moderate severity with low attack complexity and no authentication required. The vulnerability is publicly documented via Wordfence threat intelligence with direct references to the vulnerable code in the WordPress plugin repository, though no active exploitation in the wild or public proof-of-concept has been widely reported.

The CMS Commander plugin for WordPress contains an SQL Injection vulnerability in all versions up to and including 2.288. Authenticated attackers with API key access can exploit the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in the restore workflow to append malicious SQL queries and extract sensitive database information. With a CVSS score of 8.8, this represents a high-severity vulnerability requiring low attack complexity and low privileges, though no active exploitation (KEV) or public POC has been reported at this time.

The myLinksDump plugin for WordPress contains a SQL injection vulnerability in the 'sort_by' and 'sort_order' parameters affecting all versions up to and including 1.6. Authenticated attackers with administrator-level access can exploit insufficient input escaping and inadequate SQL query preparation to append malicious SQL queries and extract sensitive database information. While requiring high privileges (PR:H), the vulnerability has a CVSS score of 7.2 with high impact to confidentiality, integrity, and availability.

The WowOptin: Next-Gen Popup Maker plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability affecting all versions up to and including 1.4.29. An unauthenticated attacker can exploit a publicly accessible REST API endpoint (optn/v1/integration-action) that passes user-supplied URLs directly to wp_remote_get() and wp_remote_post() without validation, allowing arbitrary web requests from the server. This enables querying and modifying information from internal services with a CVSS score of 7.2 (High), though no active exploitation (KEV) or public POC has been documented at this time.

The Autoptimize WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the lazy-loading image processing function that allows authenticated attackers with Contributor-level access to inject arbitrary web scripts into pages. The flaw exists in all versions up to and including 3.1.14 and stems from an overly permissive regular expression that fails to properly validate image tag attributes, enabling attackers to craft malicious image tags that break HTML structure and promote attribute values into executable code. This vulnerability carries a moderate CVSS score of 6.4 and requires user interaction for stored XSS payloads to execute when pages are accessed.

The EmailKit - Email Customizer for WooCommerce & WP WordPress plugin contains a path traversal vulnerability in the TemplateData class that allows authenticated administrators to read arbitrary files from the server via the 'emailkit-editor-template' REST API parameter. An attacker with Administrator privileges can exploit this flaw to access sensitive files such as wp-config.php or /etc/passwd by supplying directory traversal sequences, with the retrieved file contents stored as post metadata and retrievable through the fetch-data REST API endpoint. The vulnerability affects all versions up to and including 1.6.3, and while it requires high-level administrative access and has a moderate CVSS score of 4.9, it represents a critical information disclosure risk in multi-user WordPress environments.

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Image Alt Text Manager plugin for WordPress (all versions up to 1.8.2) due to insufficient input sanitization and output escaping when dynamically generating image alt and title attributes via DOM parser. Authenticated attackers with Author-level access or higher can inject arbitrary JavaScript through post titles, which executes when other users visit affected pages. With a CVSS score of 6.4 and confirmed reporting by Wordfence, this vulnerability affects SEO-focused WordPress installations relying on this plugin for bulk alt text management.

A security vulnerability in for WordPress is vulnerable to unauthorized access in all (CVSS 5.3) that allows any authenticated user. Remediation should follow standard vulnerability management procedures.

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Contact List plugin for WordPress (versions up to 3.0.18) where the '_cl_map_iframe' parameter fails to properly sanitize and escape Google Maps iframe custom fields, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript that executes in the browsers of users viewing affected pages. The vulnerability stems from insufficient input validation in the saveCustomFields() function and missing output escaping in the front-end rendering, creating a persistent XSS condition with a CVSS score of 6.4 and low-to-moderate exploitation probability given the authentication requirement.

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Autoptimize WordPress plugin through version 3.1.14, caused by insufficient input sanitization in the ao_metabox_save() function and missing output escaping when rendering the 'ao_post_preload' meta value into HTML link tags. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes whenever users access pages with the Image optimization or Lazy-load images settings enabled, potentially affecting all users of compromised sites. The vulnerability has been patched and proof-of-concept code is available in the referenced GitHub commit.

The iTracker360 WordPress plugin (versions up to 2.2.0) contains a combined Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) vulnerability in its settings form submission handler. An unauthenticated attacker can craft a malicious link or webpage that, when clicked by an administrator, injects arbitrary JavaScript code into the plugin's stored settings due to missing nonce verification and insufficient input sanitization/output escaping. This vulnerability is classified as medium severity (CVSS 6.1) and poses a real risk to WordPress sites using this plugin, as exploitation requires only user interaction and network access with no special privileges.

This is a Stored Cross-Site Scripting (XSS) vulnerability in the Scoreboard for HTML5 Games Lite WordPress plugin affecting all versions up to and including 1.2. The vulnerability exists in the sfhg_shortcode() function, which insufficiently validates HTML attributes added to iframe elements, allowing authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript that executes when users view affected pages. The vulnerability has a CVSS score of 6.4 with medium real-world risk, as it requires authenticated access but affects stored content with site-wide impact.

The Keep Backup Daily WordPress plugin versions up to 2.1.2 contain a Stored Cross-Site Scripting (XSS) vulnerability in the backup title alias functionality due to insufficient input sanitization and output escaping. Authenticated administrators can inject arbitrary JavaScript via the `val` parameter in the `update_kbd_bkup_alias` AJAX action, which executes when other administrators view the backup list page. With a CVSS score of 4.4 and moderate real-world risk due to high privilege requirements, this vulnerability requires administrator-level access to exploit but can compromise other administrator sessions.

The Injection Guard plugin for WordPress versions up to 1.2.9 contains a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious JavaScript into the admin log interface. The flaw stems from insufficient sanitization of query parameter names, which are logged and later rendered without proper output escaping when administrators view the plugin's log page. This enables arbitrary script execution in the context of an authenticated administrator's browser session, potentially leading to account compromise or further malicious actions.

The Keep Backup Daily WordPress plugin versions up to 2.1.1 contain a limited path traversal vulnerability in the `kbd_open_upload_dir` AJAX action that allows authenticated administrators to enumerate arbitrary directories on the server. An attacker with Administrator-level access can exploit insufficient sanitization of the `kbd_path` parameter (using only `sanitize_text_field()` which does not prevent path traversal sequences) to list directory contents outside the intended uploads directory. While the CVSS score of 2.7 is low and exploitation requires high-privilege Administrator access, the vulnerability represents a real information disclosure risk in multi-user WordPress environments or where administrator accounts are compromised.

The Kali Forms plugin for WordPress contains a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code on the server. All versions up to and including 2.4.9 are affected, including the popular 'Kali Forms - Contact Form & Drag-and-Drop Builder' plugin by WPChill. The vulnerability carries a critical CVSS score of 9.8 due to its network-based attack vector, low complexity, and lack of required authentication or user interaction.

CM Custom Reports - Flexible reporting to track what matters most plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in admin settings that allows authenticated administrators to inject arbitrary web scripts. The vulnerability affects all versions up to and including 1.2.7 and is caused by insufficient input sanitization and output escaping in the GraphModule.php file. While the CVSS score of 4.4 is moderate, exploitation is restricted to high-privilege authenticated attackers on multi-site WordPress installations or where unfiltered_html has been disabled, making real-world exploitability dependent on specific WordPress configurations.

The RockPress WordPress plugin (versions up to 1.0.17) contains a Missing Authorization vulnerability in five AJAX actions that allows authenticated users with Subscriber-level privileges to trigger privileged operations intended for administrators. The vulnerability stems from a combination of missing capability checks (current_user_can() calls) in AJAX handlers and exposure of an admin nonce to all authenticated users via an unconditionally enqueued script. Attackers can extract the nonce from the HTML source and use it to trigger resource-intensive imports, reset import data, check service connectivity, and read import status information without administrative privileges.

A Path Traversal vulnerability exists in the ilGhera Carta Docente for WooCommerce plugin for WordPress (versions up to and including 1.5.0) that allows authenticated administrators to delete arbitrary files on the server through insufficient validation of the 'cert' parameter in the 'wccd-delete-certificate' AJAX action. An attacker with administrator privileges can exploit this to delete critical files such as wp-config.php, leading to site takeover and potential remote code execution. The vulnerability has been documented by Wordfence security researchers and affects all versions from release through 1.5.0, with a patch available in version 1.5.1 and later.

The Membership Plugin - Restrict Content for WordPress contains an unvalidated redirect vulnerability in the 'rcp_redirect' parameter that allows unauthenticated attackers to redirect users to arbitrary external sites via password reset emails. Affected versions include all releases up to and including 3.2.24. This vulnerability has a CVSS score of 4.3 (low-to-moderate severity) and requires user interaction, limiting its immediate exploitation impact but creating a viable phishing vector for credential harvesting or malware distribution.

The Aimogen Pro plugin for WordPress contains an arbitrary function call vulnerability allowing unauthenticated attackers to execute privileged WordPress functions without authorization. All versions up to and including 2.7.5 are affected, enabling attackers to modify critical site settings such as changing the default user registration role to administrator, then registering as an admin to gain full site control. This is a critical authentication bypass with privilege escalation rated 9.8 CVSS, though no active exploitation (KEV) or public proof-of-concept has been reported at this time.

Query Monitor, a WordPress debugging plugin, contains a Reflected Cross-Site Scripting (XSS) vulnerability in versions up to 3.20.3 where user-controlled data from REQUEST_URI is insufficiently escaped before rendering in the admin interface. Unauthenticated attackers can craft malicious links that, when clicked by Administrator users, execute arbitrary JavaScript in their browser context. The vulnerability has a CVSS score of 6.1 (Medium) and requires user interaction, but represents a direct attack vector against high-privilege WordPress administrators.

Unauthenticated attackers can exploit SQL injection in the Simply Schedule Appointments Booking Plugin for WordPress (versions up to 1.6.10.0) through the 'fields' parameter to extract sensitive database information including usernames, email addresses, and password hashes. The vulnerability stems from insufficient input escaping and improper SQL query preparation, allowing attackers to inject arbitrary SQL commands without authentication. No patch is currently available.

A stored cross-site scripting (XSS) vulnerability exists in the Everest Forms Pro WordPress plugin that allows attackers to inject malicious scripts into web pages. The plugin versions through 1.9.10 are affected, and the vulnerability can be exploited over the network with low attack complexity requiring no privileges but user interaction. With a CVSS score of 7.1 and reported by Patchstack audit team, this represents a moderate-to-high severity issue with scope change indicating potential impact beyond the vulnerable component.

Dotstore Fraud Prevention For Woocommerce versions through 2.3.3 contain an authorization bypass vulnerability that allows unauthenticated attackers to manipulate access control settings and cause denial of service. The missing authorization checks enable remote exploitation without user interaction, affecting WordPress installations using this plugin. No patch is currently available for this vulnerability.

A remote code execution vulnerability in Instant Popup Builder (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

The Download Manager plugin for WordPress contains a missing capability check in the 'reviewUserStatus' function that allows authenticated subscribers and above to access sensitive user information without proper authorization. Affected versions include all releases up to and including 3.3.49, enabling attackers with minimal privileges to retrieve email addresses, display names, and registration dates for any user on the site. While the CVSS score of 4.3 is moderate and the vulnerability requires authentication, the ease of exploitation and the breadth of exposed personal data present a meaningful information disclosure risk for WordPress installations using this plugin.

The Simple Draft List WordPress plugin for Dartiss contains a Stored Cross-Site Scripting vulnerability in versions up to 2.6.2, caused by insufficient input sanitization and output escaping of the 'display_name' post meta field. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript via the {{author+link}} template tag when no author URL is present, which will execute whenever users visit pages containing the [drafts] shortcode. The vulnerability has a CVSS score of 6.4 with a network attack vector and low attack complexity, requiring only low-level privileges.

The Info Cards - Add Text and Media in Card Layouts WordPress plugin versions up to 2.0.7 contains a Stored Cross-Site Scripting vulnerability in the 'btnUrl' parameter of the Info Cards block that allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript code. The vulnerability exists because the plugin fails to validate URL protocols (specifically javascript: schemes) on the server side, and the client-side rendering directly inserts unsanitized URLs into anchor href attributes, enabling script execution when users click the malicious button links. While there is no indication of active KEV exploitation, the low attack complexity and low privilege requirements make this a practical threat in multi-author WordPress environments.

The Add Custom Fields to Media WordPress plugin versions up to 2.0.3 contains a Cross-Site Request Forgery (CSRF) vulnerability in the field deletion functionality that allows unauthenticated attackers to delete arbitrary custom media fields. The vulnerability exists because the plugin validates nonces for the 'add field' operation but fails to validate nonces on the 'delete field' operation, which processes the $_GET['delete'] parameter directly. An attacker can exploit this by tricking a site administrator into clicking a malicious link, resulting in unauthorized deletion of custom media field configurations with no authentication required beyond social engineering.

The ColorFolio Freelance Designer WordPress Theme versions up to 1.3 contains a deserialization of untrusted data vulnerability that allows attackers to perform PHP Object Injection. This enables remote unauthenticated attackers to execute arbitrary code or manipulate application logic, though exploitation requires high attack complexity. There is no evidence of active exploitation (not in CISA KEV), and EPSS score data is not provided, but the vulnerability has been publicly disclosed by Patchstack.

An unrestricted file upload vulnerability exists in the Woocommerce Wholesale Lead Capture plugin for WordPress, allowing remote attackers to upload and execute malicious files without authentication. The vulnerability affects all versions through 2.0.3.1 of the plugin developed by Rymera Web Co Pty Ltd. With a CVSS score of 9.0 (Critical), this vulnerability enables attackers to achieve complete system compromise through arbitrary file upload, though the attack complexity is rated as high.

An incorrect privilege assignment vulnerability exists in the WooCommerce Wholesale Lead Capture plugin for WordPress, allowing unauthenticated attackers to escalate privileges on affected sites. All versions through 2.0.3.1 of the plugin developed by Rymera Web Co Pty Ltd. are vulnerable. With a CVSS score of 9.8 (Critical) and network-based exploitation requiring no privileges or user interaction, this represents a severe security risk for WordPress sites using this plugin.

The SlimStat Analytics plugin for WordPress contains a Stored Cross-Site Scripting vulnerability in the 'fh' (fingerprint) parameter that allows unauthenticated attackers to inject malicious scripts into pages. All versions up to and including 5.3.5 are affected due to insufficient input sanitization and output escaping. The vulnerability has a CVSS score of 7.2 with network-based attack vector requiring no privileges or user interaction, though no active exploitation (KEV) or EPSS data is currently reported.

The NextGEN Gallery plugin for WordPress contains a Local File Inclusion vulnerability in the 'template' parameter of gallery shortcodes, affecting all versions up to and including 4.0.3. Authenticated attackers with Author-level privileges or higher can include and execute arbitrary PHP files on the server, potentially leading to remote code execution, data theft, or complete site compromise. This is a confirmed vulnerability reported by Wordfence with a high CVSS score of 8.8, though no active exploitation (KEV) status has been reported at this time.

The KiviCare clinic management plugin for WordPress contains a critical privilege escalation vulnerability allowing unauthenticated attackers to create new clinics and administrative users through an unprotected REST API endpoint. All versions up to and including 4.1.2 are affected. With a CVSS score of 8.2 and network-based exploitation requiring no authentication, this represents a significant risk to healthcare data confidentiality and system integrity, though no active exploitation (KEV) or public proof-of-concept has been documented at this time.

The KiviCare Clinic & Patient Management System (EHR) plugin for WordPress contains a critical authentication bypass vulnerability allowing unauthenticated attackers to log in as any patient by simply providing their email address and an arbitrary access token value. All versions up to and including 4.1.2 are affected, exposing sensitive medical records, appointments, prescriptions, and billing information (PII/PHI). The CVSS score of 9.8 reflects the severity of unauthenticated remote exploitation with high impact to confidentiality, integrity, and availability.

A stored cross-site scripting (XSS) vulnerability exists in the Post SMTP WordPress plugin through version 3.8.0, allowing unauthenticated attackers to inject malicious scripts via the 'event_type' parameter. The vulnerability requires the Post SMTP Pro plugin with its Reporting and Tracking extension to be enabled for exploitation. With a CVSS score of 7.2 and unauthenticated network-based exploitation possible, this represents a moderate-to-high severity risk for WordPress sites using both the free and Pro versions of Post SMTP together.

The Code Embed plugin for WordPress (versions up to 2.5.1) contains a stored cross-site scripting vulnerability that allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript into pages through custom field meta values. The vulnerability exists because the plugin's sanitization function only runs during post saves, while WordPress AJAX endpoints can add meta fields without triggering sanitization, and the plugin then outputs these unsanitized values directly without HTML escaping. An attacker can inject malicious scripts that execute whenever any user visits an affected page, potentially leading to session hijacking, credential theft, or malware distribution.

The Post SMTP WordPress plugin for versions up to 3.8.0 contains an authorization bypass vulnerability in the Office 365 OAuth redirect handler that allows authenticated subscribers and above to overwrite sensitive SMTP configuration without proper capability checks or nonce validation. An attacker with subscriber-level access can craft a malicious URL to inject attacker-controlled Azure app credentials into the site's Microsoft 365 configuration, potentially causing administrators to unknowingly connect to the attacker's account during Pro wizard setup. This vulnerability has a CVSS score of 5.3 and is classified as CWE-862 (Missing Authorization), with active evidence of the vulnerable code path present in the plugin repository.

The Yoast Duplicate Post WordPress plugin through version 4.5 contains a missing capability check vulnerability in the clone_bulk_action_handler() and republish_request() functions, allowing authenticated attackers with Contributor-level access to duplicate restricted posts (private, draft, trashed) and Author-level attackers to overwrite published posts via the Rewrite & Republish feature. The vulnerability carries a CVSS score of 5.4 (medium severity) with ENISA EUVD tracking (EUVD-2026-12800), and Wordfence has documented specific vulnerable code paths in the plugin's bulk handler and post republisher modules.

The Writeprint Stylometry WordPress plugin (versions up to 0.1) contains a Reflected Cross-Site Scripting (XSS) vulnerability in the bjl_wprintstylo_comments_nav() function that fails to properly sanitize and escape the 'p' GET parameter before outputting it in HTML href attributes. An attacker can craft a malicious link containing arbitrary JavaScript code and trick users into clicking it, resulting in session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction (clicking a link) but has a network attack vector with low complexity and no privilege requirements, making it a practical threat in WordPress ecosystems.

The Get Use APIs WordPress plugin before version 2.0.10 contains a Cross-Site Scripting (XSS) vulnerability that arises from unsanitized execution of imported JSON data. This vulnerability allows attackers with contributor-level privileges (a low-level WordPress role) to inject and execute malicious scripts under certain server configurations, potentially compromising site integrity and user data. A public proof-of-concept exploit is available via WPScan, and the vulnerability has been documented in multiple intelligence sources (WPScan, VulDB, and EUVD-2025-208813), indicating active awareness in the security community.

The Subscriptions for WooCommerce plugin contains a critical authentication bypass vulnerability in the subscription cancellation function that allows unauthenticated attackers to cancel any active WooCommerce subscription. The vulnerability affects all versions up to and including 1.9.2 of the plugin (CPE: cpe:2.3:a:wpswings:subscriptions_for_woocommerce:*:*:*:*:*:*:*:*) and stems from a missing capability check combined with improper nonce validation. An attacker can exploit this with a simple GET request, requiring no special privileges or user interaction, resulting in unauthorized modification of subscription data with a CVSS score of 5.3 and confirmed active exploitation potential.

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the [CR]Paid Link Manager WordPress plugin through version 0.5, caused by insufficient input sanitization and output escaping in the URL path parameter. Unauthenticated attackers can craft malicious URLs containing arbitrary JavaScript that executes in the browsers of users who click the link, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability has a moderate CVSS score of 6.1 and requires user interaction (UI:R), but the network-accessible attack vector (AV:N) and lack of privilege requirements make it a practical threat for WordPress sites using this plugin.