WordPress
Monthly
Payment record manipulation in the WP Full Stripe Free WordPress plugin (versions ≤ 8.4.3) allows unauthenticated remote attackers to overwrite payment status in the site database. The vulnerability stems from the wpfs_update_failed_payment_status AJAX handler being registered under both wp_ajax_ and wp_ajax_nopriv_ hooks with zero authorization controls - no capability check, no nonce, no session validation - enabling any caller to invoke it. An attacker who has legitimately initiated a checkout on the target site (and thereby obtained a Stripe Payment Intent ID from the browser-visible Stripe.js flow) can send a crafted POST request to mark a previously successful payment as failed, potentially blocking order fulfillment, triggering disputes, or corrupting financial records. No public exploit code has been identified at the time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in the Surbma | Infusionsoft Shortcode WordPress plugin (versions ≤ 2.0.1) allows authenticated contributors to inject persistent malicious scripts that execute in any visitor's browser. The flaw originates in the surbma_infusionsoft_shortcode_shortcode() function, where the 'account' and 'id' shortcode attributes are concatenated without sanitization directly into a <script> tag's src attribute - a particularly dangerous injection point because it bypasses many output-escaping checks that target HTML attribute or element contexts. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.
Stored Cross-Site Scripting in the Page Builder by SiteOrigin WordPress plugin (all versions through 2.34.3) allows authenticated contributors to persist arbitrary JavaScript into post meta and execute it in any visitor's browser. The vulnerability bypasses WordPress's native content-filtering mechanisms because panels_data is stored as raw post meta rather than post content, placing it outside the scope of the unfiltered_html capability carve-out and the wp_kses fallback that would otherwise sanitize WP_Widget_Custom_HTML widget content. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor level) makes this a realistic threat on any multi-author or open-registration WordPress installation.
Unauthorized plugin activation in the Spexo WordPress theme (all versions through 2.0.11) is possible due to a missing capability check on the theme's activate_plugin function, exposing sites to integrity compromise by low-privileged authenticated users. Attackers holding Subscriber-level accounts or higher can trigger plugin activation outside of WordPress's native authorization controls, bypassing the intended administrator-only restriction. No public exploit code or active exploitation has been identified at time of analysis, and no EPSS data was provided.
Authorization bypass in the Masteriyo LMS WordPress plugin (all versions through 2.2.1) allows authenticated users with student-level access to overwrite the post content of course announcements created by instructors or administrators. The flaw is rooted in missing authorization checks (CWE-862) inside the CourseAnnouncementController addon, meaning any enrolled student can tamper with official communications - exam instructions, policy notices, deadlines - without being detected by the LMS. No public exploit code or active exploitation has been identified at time of analysis; CVSS rates this 4.3 (Medium) reflecting limited integrity-only impact with no confidentiality or availability consequence.
Authorization bypass in the Quiz and Survey Master (QSM) WordPress plugin (all versions through 11.1.4) allows authenticated contributors to create, modify, and delete quiz output templates in the mlw_quiz_output_templates database table without proper capability checks. Because template content is stored without sanitization, this grants contributor-level users the practical ability to inject arbitrary script tags into templates viewable by higher-privileged users such as administrators. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the low privilege requirement makes this accessible to any registered contributor on affected WordPress installations.
Unauthorized taxonomy manipulation in the Product Specifications for WooCommerce WordPress plugin (versions up to and including 0.8.9) exposes AJAX endpoints that any authenticated subscriber can invoke without authorization checks or CSRF protection, enabling arbitrary creation, modification, and deletion of product specification groups and attributes. The affected AJAX actions 'dwps_modify_groups' and 'dwps_modify_attributes' - bound to the __invoke() methods of AttributeGroupController and AttributeController - operate on 'spec-group' and attribute taxonomy terms, meaning successful exploitation directly corrupts WooCommerce store business data and breaks frontend product display. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Stored Cross-Site Scripting in the Dokan WooCommerce Multivendor Marketplace plugin for WordPress (all versions through 5.0.4) allows any authenticated vendor-level user to permanently inject arbitrary JavaScript into product SKU fields, which then executes in the browsers of all site visitors - including unauthenticated users - via the store search widget's AJAX response path. The scope change (S:C in CVSS) is critical: the attacker plants the payload once as a vendor, but impact is borne by an unbounded population of end users who trigger the search widget. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; however, the attack surface is wide on marketplaces with open vendor registration.
Authentication bypass in the RegistrationMagic WordPress plugin (all versions through 6.0.8.6) permits an unauthenticated attacker with a prior legitimate payment transaction on the target site to obtain real WordPress session cookies for any user account, including administrators. The flaw exploits a fatally inverted processing order in the PayPal IPN callback handler: attacker-controlled POST data including the target user_id is written to the payment log database before PayPal IPN validation is performed, and the database poisoning persists even after validation subsequently rejects the forged notification. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the account-takeover impact makes this a critical priority for any site running the plugin with active PayPal payment integration.
Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace plugin (all versions through 5.0.4) enables horizontal privilege escalation across vendor accounts via the REST API 'id' parameter. Authenticated attackers holding any vendor-level or subscriber-level account can retrieve full product records belonging to competing vendors, including unpublished draft and pending-review listings that expose product names, prices, SKUs, and descriptions. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Reflected Cross-Site Scripting in the MaxButtons - Create buttons WordPress plugin (versions up to and including 9.8.5) allows unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'view' parameter, executing in the victim's browser context when a crafted URL is clicked. The flaw is traced to insufficient input sanitization in listController.php and maxbuttons-list.php, as confirmed by Wordfence and source-level references in the WordPress plugin repository. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low attack complexity and zero-privilege requirement make social-engineering-based exploitation straightforward.
Unauthenticated form submission data exfiltration in NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) exposes sensitive PII and payment details to any remote attacker. Missing authorization checks on report download endpoints allow sequential enumeration of report IDs without any credentials, enabling mass harvesting of names, email addresses, phone numbers, postal addresses, payment details, and file paths from every saved form report on the site. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the low attack complexity and zero authentication requirement make opportunistic exploitation straightforward.
Broken access control (Insecure Direct Object Reference) in the Paid Member Subscriptions WordPress plugin before 4.16.17 lets any authenticated low-privileged user (Subscriber or above) cancel arbitrary other users' active subscriptions by manipulating the subscription identifier in a subscription-action request. The plugin fails to verify that the requesting account owns the targeted subscription. No public exploit identified at time of analysis, EPSS is low at 0.14% (3rd percentile), and the issue is not in CISA KEV, but the attack is trivial to perform once any account exists on the site.
Account takeover in the Invoice Generator (Pravel) plugin for WordPress through version 1.0.0 lets unauthenticated attackers hijack any account, including administrators. The pravel_invoice_edit_account() AJAX handler is registered for unauthenticated users and calls wp_update_user() with attacker-supplied user_id and user_email without any capability check, nonce, or ownership verification, so an attacker can overwrite an admin's email and then drive the password-reset flow to seize the account. Rated CVSS 9.8 and reported by Wordfence; no public exploit identified at time of analysis and it is not in CISA KEV.
Cross-Site Request Forgery in the HD Quiz WordPress plugin versions 2.2.0 and 2.2.1 enables unauthenticated attackers to manipulate quiz content and plugin settings by tricking a logged-in administrator into clicking a crafted link. The flaw originates in the `hdq_validate_nonce` function (`includes/functions.php:39`), which fails to properly validate WordPress nonces across at least six distinct AJAX action handlers in `includes/actions-ajax.php`. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though Wordfence has published a detailed advisory with source code references for both affected versions.
Stored cross-site scripting in Ivory Search - WordPress Search Plugin (all versions through 5.5.15) allows authenticated WordPress administrators to implant persistent JavaScript payloads via the `menu_title` and `menu_magnifier_color` settings fields, which execute in the browsers of any site visitor loading a page that renders the affected search widget. The root cause is insufficient input sanitization and output escaping in both the admin settings handler (class-is-settings-fields.php:249) and public-facing output routines (class-is-public.php:222, 263, 1199), confirmed via plugin source references on WordPress Trac. No public exploit code has been identified at time of analysis, CISA KEV does not list this CVE, and the CVSS score of 4.4 reflects the high privilege prerequisite rather than the cross-site impact scope.
SQL Injection in the Groundhogg WordPress CRM plugin (all versions through 4.5.5) allows authenticated attackers holding Sales Representative-level access or above to extract arbitrary data from the underlying WordPress database via the `query[select]` REST API parameter. The vulnerability is exploitable through a deliberate sanitization bypass: submitting an invalid filter type in `query[filters]` triggers a FilterException that silently redirects execution from the protected `Contact_Query` path to the unprotected `Legacy_Contact_Query` path. No CISA KEV listing or confirmed public exploit code exists at time of analysis, though Wordfence's advisory directly references vulnerable source lines at plugin version 4.5.5, materially lowering the barrier to independent PoC development.
Stored Cross-Site Scripting in the CodePeople Post Map for Google Maps WordPress plugin (versions through 1.2.6) permits authenticated Contributor-level users to persist malicious JavaScript payloads via the 'cpm_point' post meta field. The CVSS S:C (Scope Changed) flag confirms the injected scripts execute in victim browser sessions beyond the plugin's own context, enabling session hijacking, credential theft, or unauthorized admin actions against any user who visits an injected page. No confirmed active exploitation appears in CISA KEV, and no public exploit code has been identified at time of analysis.
SQL injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin exposes the underlying WordPress database to authenticated attackers holding marketer-level access or higher. The 'search' parameter is insufficiently escaped across at least five distinct code paths - spanning db/db.php, db/steps.php, and api/v4/base-object-api.php - allowing appended SQL payloads to exfiltrate sensitive data including contact records, campaign data, and potentially WordPress user credentials. No public exploit code or CISA KEV listing has been identified at the time of analysis, but the vulnerability is straightforward to exploit with valid credentials given the low complexity rating.
Sensitive data exposure in the Bopo - WooCommerce Product Bundle Builder plugin for WordPress (versions ≤ 1.1.6) allows low-privileged authenticated users to access information that should be restricted to higher-trust roles. The flaw is classified under CWE-497, indicating the plugin exposes sensitive system or application data to an unauthorized control sphere - likely via an improperly protected REST API endpoint or AJAX action lacking appropriate capability checks. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in the Abandoned Cart Lite for WooCommerce WordPress plugin (versions 6.8.0 and below) enables unauthenticated remote attackers to perform unauthorized state-changing actions by luring an authenticated site user into visiting a malicious page. The CVSS score of 4.3 (Medium) reflects a limited integrity impact with no confidentiality or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in FunnelKit Payment Gateway for Stripe WooCommerce plugin (versions up to and including 1.14.0.3) allows a remote unauthenticated attacker to perform unauthorized state-changing actions by tricking an authenticated WordPress user into interacting with a crafted request. The absence of proper CSRF token validation (CWE-352) means any action protected only by session authentication can be forged. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Broken access control in Email Marketing for WooCommerce by Omnisend (versions up to and including 1.19.0) allows authenticated subscriber-level WordPress users to invoke privileged plugin functionality without proper authorization checks. Exploitation requires only a low-privilege WordPress account and no user interaction, enabling unauthorized modification of plugin state and potential availability disruption. No public exploit code or active exploitation has been identified at time of analysis, but the low barrier - subscriber-level access - elevates real-world concern on sites with open user registration.
Improper authorization in the Subscriptions for WooCommerce WordPress plugin (versions 1.9.5 and earlier) lets unauthenticated remote attackers reach functionality that should be access-restricted, enabling unauthorized modification of subscription data. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms network-reachable, no-authentication, low-complexity abuse with a high integrity impact but no confidentiality or availability loss. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Unauthenticated information disclosure in the Print Invoice & Delivery Notes for WooCommerce plugin (versions 7.1.1 and earlier) lets remote attackers retrieve sensitive order data - such as invoices and delivery notes - without any credentials. The CVSS 3.1 score of 7.5 reflects a network-reachable, no-interaction confidentiality breach. No public exploit is identified at time of analysis and it is not listed in CISA KEV, so exploitation appears unproven but trivially feasible given the access profile.
Unauthenticated IDOR in Payment Gateway Based Fees and Discounts for WooCommerce (versions up to and including 3.0.0) allows remote, unauthenticated attackers to manipulate payment gateway fee and discount object references, resulting in unauthorized modification of pricing logic and potential disruption of checkout availability. The CVSS vector (PR:N/UI:N/AV:N) confirms exploitation requires no authentication or user interaction, making this trivially reachable on any exposed WooCommerce storefront running the affected plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, though the unauthenticated entry point lowers the barrier for opportunistic abuse.
Stored/reflected Cross-Site Scripting in the Customer Reviews for WooCommerce WordPress plugin (versions up to and including 5.110.1) lets unauthenticated attackers inject malicious script that executes in a victim's browser when they view the affected page. The CVSS:3.1 vector (AV:N/PR:N/UI:R, scope changed) indicates network-reachable, no-authentication exploitation that requires the victim to interact with attacker-controlled content. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.
Authentication bypass in the CorvusPay WooCommerce Payment Gateway plugin for WordPress (versions 2.7.4 and earlier) lets unauthenticated remote attackers manipulate the payment/integration workflow without valid credentials, per the CVSS 3.1 vector (AV:N/PR:N) and CWE-288. The flaw scores 7.5 with integrity impact only (I:H, C:N, A:N), meaning an attacker can tamper with trusted state - most plausibly forging payment confirmation/callback validation - rather than steal data or take a site down. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.
Arbitrary file upload in Booster for WooCommerce (plugin slug woocommerce-jetpack) versions <= 8.0.1 lets an authenticated customer-level user upload arbitrary files to the WordPress server, enabling web shell deployment and remote code execution. The CVSS 3.1 score of 9.9 reflects a scope change (S:C) where a low-privilege shop customer can fully compromise the underlying host. No public exploit identified at time of analysis; the issue was reported by Patchstack's audit team.
Broken access control in the Paymob for WooCommerce WordPress plugin (versions <= 4.1.2) allows remote unauthenticated attackers to invoke a protected function or action that lacks an authorization check, producing a high integrity impact (CVSS 7.5, CVSS:3.1/.../I:H). The flaw maps to CWE-862 (Missing Authorization), meaning a function reachable over the network performs no capability or ownership validation before acting. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.
Reflected/stored Cross-Site Scripting in the MapPress Maps for WordPress plugin (versions 2.97.3 and earlier) allows an unauthenticated remote attacker to inject malicious JavaScript that executes in the browser of a victim who interacts with a crafted link or page. Because the CVSS scope is changed (S:C), the injected script can act beyond the vulnerable component to affect logged-in users including administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Privilege escalation in the Abandoned Cart Pro for WooCommerce plugin (versions <= 10.4.0) allows an authenticated low-privileged user (Subscriber) to elevate their own permissions and gain higher-privileged capabilities within the WordPress site. The flaw, reported by Patchstack and classified as CWE-266 (Incorrect Privilege Assignment), carries a CVSS 8.8 and is network-exploitable with low complexity once an attacker holds any minimal account. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local File Inclusion in the Splash - Sport Club WordPress theme (versions 4.4.3 and earlier) lets an authenticated Contributor-level user supply a controlled filename to a PHP include/require sink, exposing local server files and potentially escalating to code execution. The flaw was reported by Patchstack and carries a CVSS 7.5; no public exploit identified at time of analysis, and it is not listed in CISA KEV. Exploitation requires an existing low-privilege account and overcomes elevated attack complexity, narrowing realistic abuse to multi-author sites.
Payment bypass in WPEverest's User Registration & Membership WordPress plugin (versions up to and including 5.2.0) allows unauthenticated remote attackers to activate paid memberships without completing payment. The vulnerability stems from missing authorization checks in the confirm_payment() function (CWE-862), which fails to validate that a legitimate payment transaction occurred before granting membership access. No public exploit or CISA KEV listing has been identified at time of analysis, but the attack is low-complexity and requires no authentication, making it trivially reachable by any internet-connected adversary.
Permanent deletion of arbitrary WordPress posts and pages is possible via the Frontend File Manager Plugin (all versions through 23.6), which omits ownership verification before executing delete operations. Any authenticated user holding author-level access or higher can permanently destroy content they do not own; when an administrator enables the 'Allow guest uploads' setting, the same endpoint becomes reachable by completely unauthenticated users. A public proof-of-concept exists via WPScan; no confirmed actively exploited status (KEV), and EPSS sits at just 0.18% (8th percentile), but the unauthenticated attack path under a non-default configuration is the highest-severity scenario.
SQL injection in the SALESmanago & Leadoo WordPress plugin before 3.11.3 allows low-privileged authenticated users to inject arbitrary SQL through an unsanitised parameter passed to a vulnerable AJAX action. Because the action enforces no authorisation check, even subscriber-level accounts can reach it, and the CVSS scope-changed, high-confidentiality rating (7.7) reflects the ability to read data across the WordPress database. Publicly available exploit code exists (WPScan), though EPSS is low (0.16%) and SSVC classifies exploitation as proof-of-concept only, not active.
Information disclosure in the YMC Filter WordPress plugin before 3.11.3 lets unauthenticated remote attackers read the titles and content of private, draft, and other non-public posts by abusing a REST API endpoint that lacks proper authorization and fails to validate a user-supplied query parameter. WPScan reported the flaw, a public exploit exists, and a vendor patch is available; the CVSS 3.1 score is 7.5 reflecting high confidentiality impact with no integrity or availability effect.
Path traversal in Printcart Web to Print Product Designer for WooCommerce (all versions through 2.4.8) exposes arbitrary server directory listings to unauthenticated remote attackers with no interaction required. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial network-based exploitation against any internet-facing WooCommerce store running this plugin. A publicly available exploit exists via WPScan, materially lowering the technical barrier despite the Medium CVSS score of 5.3; no confirmed patched version is available at time of analysis.
SQL Injection in the Groundhogg WordPress plugin (versions up to and including 4.5.4) allows any authenticated WordPress user - regardless of role - to extract sensitive data from the underlying database via the unsanitized 'after' parameter in the contacts table AJAX handler. The critical amplifier here is that the AJAX handler wp_ajax_groundhogg_get_contacts_table has its role capability check commented out and lacks nonce verification, effectively reducing the privilege bar from Sales Manager (as the CVE description initially implies) to any authenticated user including subscribers on open-registration sites. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low exploitation bar and the data exfiltration potential against CRM databases containing customer PII make this a meaningful risk for affected deployments.
Improper access control in PPOM for WooCommerce (all versions through 33.0.18) enables unauthenticated remote attackers to bypass access controls and perform unauthorized operations affecting the integrity and availability of affected WooCommerce stores. Classified under CWE-284 and confirmed as an authentication bypass by Patchstack, the flaw exposes plugin-managed product option data to manipulation or disruption without requiring any credentials. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to CISA KEV.
Sensitive data exposure in the APIExperts Square for WooCommerce WordPress plugin (also known as woosquare) through version 4.7.3 allows remote attackers to retrieve embedded sensitive information that the plugin inserts into data it sends. Reported by Patchstack and rated CVSS 8.3, the flaw stems from CWE-201 (Insertion of Sensitive Information Into Sent Data) and is exploitable without authentication or user interaction per its CVSS vector. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored/reflected Cross-Site Scripting in the Advanced Order Export For WooCommerce WordPress plugin (by AlgolPlus) affects all versions up to and including 4.0.9, letting a remote attacker inject script that executes in the browser of a victim who views attacker-controlled order/export data. The flaw carries a CVSS 7.1 rating driven by a scope change (attacker script runs outside the vulnerable component's security context) and requires victim interaction; there is no public exploit identified at time of analysis and it is not on the CISA KEV list.
Broken Access Control in the UPI QR Code Payment Gateway for WooCommerce plugin (versions <= 1.6.2) allows authenticated low-privilege WordPress users to perform actions or access endpoints reserved for higher-privileged roles, resulting in unauthorized modification of payment data or disruption of payment processing. The flaw, rooted in missing authorization checks (CWE-862), was disclosed by Patchstack and affects sites running WooCommerce with this Knit Pay plugin installed. No public exploit code has been identified at time of analysis, and it has not been confirmed as actively exploited.
Unauthenticated IDOR in License Manager for WooCommerce (versions <= 3.0.15) allows remote, unauthenticated attackers to reference and manipulate arbitrary license records by supplying or iterating object identifiers in plugin requests, yielding integrity and availability impacts on license data. The CVSS vector (PR:N, AV:N, AC:L) confirms no authentication or special conditions are needed, making the attack trivially repeatable against any reachable WooCommerce store running the affected plugin. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
SQL injection in the Premmerce Wishlist for WooCommerce WordPress plugin (versions 1.1.11 and earlier) lets remote unauthenticated attackers inject crafted SQL into backend database queries, per the CVSS PR:N vector. Reported by Patchstack and rated 9.3 (CVSS 3.1), it allows extraction of sensitive WordPress/WooCommerce data such as user records and credential hashes. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was provided.
Unauthenticated SQL injection in the Tourfic WordPress travel-booking plugin (versions through 2.22.7) lets remote attackers read arbitrary database contents via the 'post_id' parameter of the tf_room_availability AJAX action. Because the action is registered for logged-out users (wp_ajax_nopriv) and the required nonce is publicly emitted on single-hotel pages, no authentication is needed in practice. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Order shipping-destination tampering in the InPost PL WooCommerce plugin (versions before 1.9.1) lets unauthenticated remote attackers silently change the parcel-locker delivery point of any order still in 'pending' or 'processing' status, because the plugin never verifies the request comes from the legitimate buyer. Publicly available exploit code exists and a vendor patch has been released, though this is not listed in CISA KEV (no public exploit identified as actively exploited at time of analysis beyond the published POC). With CVSS 7.5 and an integrity-only impact, the practical risk is shipment redirection / parcel theft rather than data disclosure.
Stored cross-site scripting in the Email Address Encoder WordPress plugin (free, before 1.0.25) and its Email Encoder Premium counterpart (before 0.3.12) lets unauthenticated visitors inject persistent JavaScript through the plugin's flawed email-replacement handling. Publicly available exploit code exists (disclosed by WPScan) and a vendor patch is available, but it is not in CISA KEV, so there is no public exploit identified as actively used in the wild. Successful exploitation executes attacker script in the browser of any user who later renders the affected page, typically an authenticated administrator.
Unauthenticated access to Masteriyo LMS WordPress plugin's course-progress REST API controller exposes all users' learning records to read and permanent deletion. All plugin versions before 2.2.1 are affected due to a missing authorization check on the REST endpoint, meaning any unauthenticated HTTP client can target arbitrary user IDs. A publicly available proof-of-concept exists per WPScan; however, EPSS sits at just 0.14% (3rd percentile), suggesting opportunistic exploitation has not yet materialized at scale despite the low barrier to entry.
Time-based blind SQL injection in the Gravity Forms Booking plugin for WordPress allows authenticated attackers with Subscriber-level access or higher to exfiltrate sensitive data from the underlying WordPress database via the 'staff_id' parameter. All plugin versions through 2.7.1 are affected due to insufficient input escaping and inadequate SQL query preparation on a user-controlled parameter. No public exploit code or active exploitation has been identified at time of analysis, though the low authentication barrier (subscriber-level) meaningfully broadens attacker opportunity on sites with open registration.
SQL injection in the Dokan Pro WordPress multivendor marketplace plugin (all versions ≤ 5.0.4) lets unauthenticated remote attackers inject SQL through the 'latitude' and 'longitude' request parameters, enabling extraction of arbitrary database contents such as user credentials, API keys, and order data. The flaw is time-based (blind) and requires no authentication or user interaction, but no public exploit code or active exploitation has been identified at time of analysis. No EPSS or CISA KEV signal was provided in the source data.
Time-based blind SQL injection in the Dokan Pro WordPress plugin allows network-accessible authenticated attackers with Subscriber-level privileges to extract sensitive data from the underlying WordPress database. The flaw resides in the 'orderby' parameter, which is insufficiently escaped and passed into unparameterized SQL queries across all plugin versions through 5.0.4. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar - any registered subscriber - substantially widens the realistic attacker pool on marketplace and multi-vendor WordPress sites.
Stored Cross-Site Scripting in Essential Blocks for WordPress (all versions through 6.1.4) allows authenticated Contributor-level users to permanently embed malicious JavaScript into pages via the `configurablePrefix` attribute of the Table of Contents block. The payload persists in the database and executes in every subsequent visitor's browser, enabling session hijacking, credential theft, or forced redirects at scale across the site's audience. No public exploit code or CISA KEV listing is present in the available intelligence, but Wordfence's disclosure paired with publicly accessible source-level Trac links substantially lowers the effort required to develop a working exploit.
Authenticated PHP code injection in the AdRotate Banner Manager WordPress plugin (versions ≤5.17.7) allows Contributor-level users to execute arbitrary PHP on the server by abusing the 'banner' attribute of the [adrotate] shortcode. Exploitation requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings, where unsanitized input is concatenated into a PHP string wrapped in mfunc/fragment cache markers. Reported by Wordfence; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Account takeover in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) allows Contributor-level authenticated users to harvest live password reset links for any account, including administrators, by chaining three logic bugs in the member directory subsystem. The flaw enables full site compromise because reset URLs can be used to set new administrator passwords. No public exploit identified at time of analysis, though Wordfence has published detailed technical write-ups that significantly lower the bar for weaponization.
Sensitive information disclosure in the premium Cornerstone page builder (bundled with the X theme) versions 3.0.0 through 7.8.7 allows any authenticated WordPress user to extract raw password hashes and other private user metadata. The CSS-preview request handler fails to enforce capability checks while exposing its required nonce on every wp-admin page, and publicly available exploit code exists per WPScan, though no active exploitation has been reported.
Authenticated information disclosure in the premium Cornerstone page builder (bundled with the X WordPress theme) before version 7.8.9 allows any logged-in user to enumerate other users' metadata via an unprotected REST API route. Disclosed data includes roles, session token previews, and stored billing/shipping fields, enabling account targeting and potential session abuse. Publicly available exploit code exists per WPScan, though there is no public exploit identified as actively used in the wild and the issue is not listed in CISA KEV.
Insufficient REST API authorization in the Site Kit by Google WordPress plugin before version 1.176.0 permits users with dashboard sharing access - such as those granted the Editor role - to write to a site-wide settings endpoint that should be restricted to administrators. The integrity impact is confined to plugin-level configuration, but the flaw is significant because dashboard sharing is commonly granted to non-admin contributors on multi-author sites. A publicly available proof-of-concept exists per WPScan; exploitation probability remains very low (EPSS 0.13%, 3rd percentile) and the vulnerability is not listed in the CISA KEV catalog.
PHP Object Injection in the Post Duplicator WordPress plugin before 3.0.15 lets authenticated users with Contributor-level access or higher inject arbitrary serialized PHP objects by abusing the plugin's post-duplication routine, which copies attacker-controlled custom meta-data without the WordPress meta API's double-serialization safeguard. Successful exploitation can lead to property-oriented programming attacks and, with a suitable gadget chain present, full compromise of the site. Publicly available exploit code exists (WPScan), though the flaw is not listed in CISA KEV and carries a low EPSS score (0.15%, 5th percentile).
Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.
Stored Cross-Site Scripting in the AI Share & Summarize WordPress plugin (all versions before 2.0.4) allows any user holding a Contributor role or above to inject persistent malicious JavaScript via unsanitized shortcode attributes rendered on pages. When a higher-privileged user such as an Administrator subsequently views the affected page, the payload executes in their browser, enabling session hijacking, credential theft, or unauthorized privileged actions. A publicly available proof-of-concept exploit exists per WPScan, and a vendor-released patch is available in version 2.0.4.
Authorization bypass in the RentMy Real-Time Rental Management Plugin for WordPress exposes full CRUD control over rental event records and location configuration to unauthenticated remote attackers, affecting all versions through 4.0.4.1. The root cause is missing authorization checks in the plugin's AJAX handler class (class-rentmy-ajax.php), allowing any unauthenticated visitor to invoke privileged actions via WordPress's standard AJAX endpoint. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the zero-barrier entry point - unauthenticated, network-accessible, low complexity - means any exposed deployment is immediately at risk without requiring attacker sophistication.
Information disclosure in the WP Forms Connector WordPress plugin (versions through 1.8) allows unauthenticated remote attackers to retrieve any user's password hash and email address via the wp/v3/user/list/<id> REST route. The endpoint's permission_callback is hard-coded to __return_true and the bespoke auth check verifies only that the Username header maps to an administrator (typically 'admin') without ever calling wp_check_password() to validate the supplied Password header. No public exploit identified at time of analysis, but the trivial nature of the bypass and the exposure of user_pass hashes make this a credible account-takeover vector.
Cross-Site Request Forgery in the Bulk SEO Image WordPress plugin (versions ≤ 1.1) enables unauthenticated attackers to bulk-overwrite every image ALT-text attribute across all published posts and pages on a target site by tricking an authenticated administrator into visiting a malicious page. The plugin's core handler BulkSeoImage() dispatches to launchbulk() and BulkSeoImageGo() whenever a POST request includes the 'bulkseoimage' parameter, with no wp_nonce_field() emitted in the form and no check_admin_referer() or wp_verify_nonce() call gating execution - confirmed by direct source code review at the plugin's Trac repository. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Reflected Cross-Site Scripting in the Image Sizes on Demand WordPress plugin (versions ≤ 1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized PHP_SELF server variable in settings.php. Successful exploitation requires social engineering an administrator into clicking a crafted link, after which the injected script executes within the admin's authenticated browser session - enabling session hijacking or unauthorized administrative actions. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Unauthenticated mass PII harvesting is possible on any WordPress site running the WhatsOrder - Instant Checkout for WooCommerce plugin (all versions through 1.0.1) because the plugin writes customer invoice HTML files to a publicly accessible directory with no access restrictions. The `yapacdev_generate_order_pdf` function deposits invoices under `wp-content/uploads/whatsorder_invoices/` without generating an `.htaccess` deny rule or `index.php` guard, and because WooCommerce uses predictable sequential order IDs, any remote attacker can enumerate and download every customer invoice with no authentication. Exposed data includes full name, email, phone number, billing address, itemized order contents with pricing, applied coupon codes, shipping method, and order total. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Authorization bypass in the Advance Nav Menu Manager WordPress plugin (all versions through 1.3) permits any authenticated subscriber-level user to manipulate site navigation menus without authorization. The plugin invokes wp_insert_post() for nav_menu_item operations - duplicate, copy, move, and publish - without enforcing capability checks, allowing low-privilege users to alter navigation structure at will. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, the low barrier to exploitation (any registered subscriber account) makes it a meaningful risk on sites with open or compromised user registration.
Stored Cross-Site Scripting in the WP Latest Posts WordPress plugin (versions up to and including 5.0.11) allows authenticated attackers with author-level access to plant persistent JavaScript payloads by crafting malicious image src attributes in post content. The plugin's field() and loop() functions in wplp-front.inc.php extract raw src values via regex and reconstruct HTML img elements or CSS background-image declarations through direct string concatenation, entirely bypassing WordPress's built-in kses sanitization. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the scope change to the victim's browser context enables session hijacking or credential theft against any user who visits an injected page.
Stored Cross-Site Scripting in Avalon23 Products Filter for WooCommerce (≤1.1.6) allows authenticated Contributors to inject persistent JavaScript via the `avalon23_qr` shortcode's `title` and `fixed_link` attributes, which are concatenated unsanitized into single-quoted HTML attributes by `AVALON23_HELPER::draw_html_item()`. The payload is stored in the WordPress database and executes in the browser of any user who subsequently visits an injected page, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in the Mir Blocks and Shortcodes WordPress plugin (versions up to and including 1.0.0) allows authenticated attackers with contributor-level access to permanently inject arbitrary JavaScript into pages via unsanitized shortcode attributes - specifically the 'title' and 'ready_animation_text' parameters of the msc_stats() rendering function. Any site visitor who loads an injected page executes the attacker's script in their browser, enabling session theft, credential harvesting, or in-page content manipulation. No public exploit or CISA KEV listing is confirmed at time of analysis, but the low privilege requirement (contributor) makes this accessible to a broad class of registered WordPress users.
Authenticated information disclosure in the 24liveblog WordPress plugin (versions ≤ 2.2) exposes third-party API credentials - including OAuth access tokens, refresh tokens, account UIDs, and usernames - to any contributor-level WordPress user who opens the block editor. The plugin's lb24_block_enqueue_scripts() function, hooked to enqueue_block_editor_assets, retrieves administrator-configured integration secrets from the WordPress options table and renders them into the page as a JavaScript global object (lb24BlockData) for all non-administrator users, where they are readable via basic browser source inspection. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, but exploitation is trivially simple for any user holding a WordPress contributor account.
Account takeover in the Invoice Generator WordPress plugin (versions through 1.0.0) allows unauthenticated remote attackers to reset the password of any user, including administrators, by abusing the nopriv `pravel_invoice_change_password()` AJAX handler. Reported by Wordfence with a CVSS of 9.8 and tagged for RCE potential via subsequent admin compromise; no public exploit identified at time of analysis, though the trivial nature of the bug makes weaponization straightforward.
Unauthenticated account takeover in the SignUp & SignIn WordPress plugin (versions ≤ 1.0.0) allows remote attackers to reset any user's password - including administrators - via the unauthenticated `pravel_change_password` AJAX action. No public exploit identified at time of analysis, but the trivially-bypassable empty-string comparison and AV:N/AC:L/PR:N/UI:N vector make exploitation essentially one HTTP request. The plugin's small footprint likely keeps EPSS low, but any site running it is fully exposed.
Unauthenticated stored cross-site scripting in the WP Meta SEO WordPress plugin (versions ≤ 4.5.18 by Joomunited) lets remote attackers persist arbitrary JavaScript into the `wp_wpms_links.link_url` database column by sending HTTP requests with a malicious URI to any 404 path. The payload executes in the browser of any administrator who opens the plugin's '404 & Redirects' admin page, enabling session hijacking or admin-on-behalf actions. No public exploit identified at time of analysis; no KEV listing.
{id}' without a permission_callback, which causes WordPress core to expose it publicly with no credential check whatsoever. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis, though the trivial attack mechanics require no specialized tooling.
Cross-Site Request Forgery in the MP Customize Login Page WordPress plugin (all versions ≤ 1.0) enables unauthenticated remote attackers to overwrite login page settings - background, logo URL, image dimensions, button colors, and login message - by tricking a logged-in administrator into submitting a crafted request. The root cause is a doubly defective nonce implementation in enter_mpclp_login_options(): the check is logically inverted (blocking valid nonces while passing invalid ones) and the required action parameter is omitted from wp_verify_nonce(), rendering the entire check dead code. Compounding this, the settings handler is registered on the init hook without any capability gate, so no privilege level is required from the attacker. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Authorization bypass in the Generate Security.txt WordPress plugin (all versions through 1.0.12) allows authenticated attackers with subscriber-level access to delete the site's security.txt file or create the .well-known directory by invoking unprotected AJAX actions directly. The root cause is a failure to verify user capabilities before executing the delete_securitytxt and create_wellknown_folder AJAX handlers, a classic CWE-862 (Missing Authorization) pattern reported by Wordfence. No public exploit or CISA KEV listing has been identified at time of analysis, and with a CVSS score of 4.3 and limited integrity impact, this is a low-urgency but straightforward-to-exploit flaw for any authenticated WordPress user.
Unauthenticated token manipulation in the SearchPlus WordPress plugin (versions up to and including 1.7.1) allows any remote visitor to overwrite or delete the plugin's stored API credentials by invoking two unprotected AJAX callbacks. Both searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() are registered via wp_ajax_nopriv_ hooks and lack both capability checks and nonce validation, making them freely accessible without authentication. No public exploit or active exploitation has been identified at time of analysis, and real-world impact is limited to disruption of the plugin's search functionality or substitution of attacker-controlled account tokens.
Unauthorized token overwrite in the 24liveblog WordPress plugin (versions ≤ 2.2) enables any authenticated user with author-level access or above to hijack the site's 24liveblog service integration. The AJAX handler update_lb24_token() validates only a nonce that is automatically distributed to all block-editor-capable users, but performs no capability check and does not verify that the supplied user_id matches the requester - allowing an author-level attacker to overwrite lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname meta fields for any account including administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, and CVSS rates this as medium-low (4.3), consistent with the authenticated-only, integrity-limited impact.
Unauthenticated SQL injection in the ClearSale Total WordPress plugin (all versions through 3.4.2) allows remote attackers to extract sensitive database contents via the pagseguro[metodo] POST parameter of the clearsale_total_push AJAX action. The flaw is reachable without authentication because the nopriv AJAX handler ships with a commented-out die() in the nonce-failure branch, and on PHP < 8.0 loose type juggling bypasses the switch/case integer guard. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Reflected Cross-Site Scripting in the EntreDroppers WordPress plugin (all versions through 1.1.2) allows unauthenticated attackers to inject arbitrary JavaScript into victim browsers by embedding script payloads in the URL path-info segment, which PHP reflects unsanitized through the PHP_SELF server variable into the form action attribute at EntreDroppers.php line 223. Successful exploitation requires tricking an authenticated WordPress administrator into clicking a crafted link pointing to the /wp-admin/ context, making this a social-engineering-dependent attack. No public exploit code or active exploitation has been identified at time of analysis; no patch has been confirmed from available data.
Server-side request forgery in the Kargo Takip WordPress plugin (versions through 1.2) allows unauthenticated remote attackers to coerce the site into issuing arbitrary HTTP requests via the 'api_url' parameter and to exfiltrate data from internal services. Because the plugin echoes the value of any 'auth' key from the JSON response back to the attacker, it enables direct retrieval of sensitive responses such as cloud instance metadata credentials. No public exploit identified at time of analysis, and the plugin is not listed in CISA KEV.
Cross-Site Request Forgery in the Blue Captcha WordPress plugin (versions ≤ 2.0.1) allows unauthenticated attackers to trigger destructive administrative operations - including plugin uninstall, audit log deletion, Hall of Shame wipe, and arbitrary IP blocklist manipulation - by tricking a logged-in administrator into clicking a crafted link. The root cause is a complete absence of nonce validation (`wp_verify_nonce`, `check_admin_referer`, `check_ajax_referer`) across all admin handler entry points, confirmed by Wordfence with direct source code references. No public exploit has been identified at time of analysis, and no patched version has been confirmed.
Unauthorized settings deletion in the Assistio WordPress plugin (versions ≤ 1.1.2) allows any authenticated Subscriber-level user to invoke the assistio_plugin_delete_assistio_settings() function and wipe critical plugin options, including the 'assistiobot_oauth_settings' OAuth token, breaking the site's Assistio bot integration. The function lacks both WordPress capability verification and nonce validation - two standard WordPress security controls - meaning the authorization boundary is entirely absent. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the CVSS score of 4.3 accurately reflects the limited but real integrity impact against low-privilege authenticated attackers.
Unauthenticated remote attackers can disconnect any WordPress site running the Secufor_OAuth plugin from its linked Secufor identity account by triggering an unprotected action handler that clears the stored OAuth token and login configuration. All plugin versions through 1.0.7 are affected, confirmed by Wordfence and traceable to specific lines in the plugin source. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, though the trivially low attack complexity (AV:N/AC:L/PR:N) means exploitation requires only an HTTP request.
Authorization bypass in the Reviews and Rating - Docplanner WordPress plugin (versions ≤ 1.1.4) allows any authenticated subscriber-level user to invoke privileged plugin actions without proper capability checks. Exploitation enables two distinct abuse paths: triggering server-side outbound scraping of attacker-controlled or arbitrary external URLs with results written to the wp_dp_reviews database table, and dispatching feature-request emails impersonating the site administrator's address. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in the MotorDesk WordPress plugin (all versions ≤ 1.1.2) allows unauthenticated remote attackers to overwrite critical plugin configuration settings by tricking a logged-in administrator into clicking a crafted link. The vulnerable function motordesk_admin_home in motordesk_admin.php lacks proper WordPress nonce validation, meaning the server accepts state-changing POST requests without confirming the administrator intentionally submitted them. No public exploit code has been identified at time of analysis; the CVSS 4.3 Medium score accurately reflects the social-engineering dependency, though the custom template directory path setting warrants secondary scrutiny for potential path traversal chaining.
Privilege escalation in the Welcome Software Publishing WordPress plugin (versions ≤ 0.0.31) allows any authenticated user with Subscriber-level access or above to update arbitrary WordPress options via the nc.setOption XML-RPC method. By modifying the default_role option to 'administrator' and registering a new account, attackers achieve full site takeover. No public exploit identified at time of analysis, but the attack pattern is trivial and well-documented for similar WordPress XML-RPC missing-capability flaws.
Unauthenticated data deletion in the Advanced Contact Form 7 - Compact DB WordPress plugin (versions up to and including 1.0.0) allows any remote attacker to permanently destroy all stored contact form submissions. The root cause is registration of the deletion handler against the `wp_ajax_nopriv_cf7cdb_delete` hook, which WordPress exposes to unauthenticated users, combined with a complete absence of nonce verification, capability checks, and ownership validation before invoking `$wpdb->delete()`. No public exploit or CISA KEV listing has been identified at time of analysis, but exploitation is trivially automatable due to sequential integer primary keys and no authentication barrier.
Payment record manipulation in the WP Full Stripe Free WordPress plugin (versions ≤ 8.4.3) allows unauthenticated remote attackers to overwrite payment status in the site database. The vulnerability stems from the wpfs_update_failed_payment_status AJAX handler being registered under both wp_ajax_ and wp_ajax_nopriv_ hooks with zero authorization controls - no capability check, no nonce, no session validation - enabling any caller to invoke it. An attacker who has legitimately initiated a checkout on the target site (and thereby obtained a Stripe Payment Intent ID from the browser-visible Stripe.js flow) can send a crafted POST request to mark a previously successful payment as failed, potentially blocking order fulfillment, triggering disputes, or corrupting financial records. No public exploit code has been identified at the time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in the Surbma | Infusionsoft Shortcode WordPress plugin (versions ≤ 2.0.1) allows authenticated contributors to inject persistent malicious scripts that execute in any visitor's browser. The flaw originates in the surbma_infusionsoft_shortcode_shortcode() function, where the 'account' and 'id' shortcode attributes are concatenated without sanitization directly into a <script> tag's src attribute - a particularly dangerous injection point because it bypasses many output-escaping checks that target HTML attribute or element contexts. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.
Stored Cross-Site Scripting in the Page Builder by SiteOrigin WordPress plugin (all versions through 2.34.3) allows authenticated contributors to persist arbitrary JavaScript into post meta and execute it in any visitor's browser. The vulnerability bypasses WordPress's native content-filtering mechanisms because panels_data is stored as raw post meta rather than post content, placing it outside the scope of the unfiltered_html capability carve-out and the wp_kses fallback that would otherwise sanitize WP_Widget_Custom_HTML widget content. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor level) makes this a realistic threat on any multi-author or open-registration WordPress installation.
Unauthorized plugin activation in the Spexo WordPress theme (all versions through 2.0.11) is possible due to a missing capability check on the theme's activate_plugin function, exposing sites to integrity compromise by low-privileged authenticated users. Attackers holding Subscriber-level accounts or higher can trigger plugin activation outside of WordPress's native authorization controls, bypassing the intended administrator-only restriction. No public exploit code or active exploitation has been identified at time of analysis, and no EPSS data was provided.
Authorization bypass in the Masteriyo LMS WordPress plugin (all versions through 2.2.1) allows authenticated users with student-level access to overwrite the post content of course announcements created by instructors or administrators. The flaw is rooted in missing authorization checks (CWE-862) inside the CourseAnnouncementController addon, meaning any enrolled student can tamper with official communications - exam instructions, policy notices, deadlines - without being detected by the LMS. No public exploit code or active exploitation has been identified at time of analysis; CVSS rates this 4.3 (Medium) reflecting limited integrity-only impact with no confidentiality or availability consequence.
Authorization bypass in the Quiz and Survey Master (QSM) WordPress plugin (all versions through 11.1.4) allows authenticated contributors to create, modify, and delete quiz output templates in the mlw_quiz_output_templates database table without proper capability checks. Because template content is stored without sanitization, this grants contributor-level users the practical ability to inject arbitrary script tags into templates viewable by higher-privileged users such as administrators. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the low privilege requirement makes this accessible to any registered contributor on affected WordPress installations.
Unauthorized taxonomy manipulation in the Product Specifications for WooCommerce WordPress plugin (versions up to and including 0.8.9) exposes AJAX endpoints that any authenticated subscriber can invoke without authorization checks or CSRF protection, enabling arbitrary creation, modification, and deletion of product specification groups and attributes. The affected AJAX actions 'dwps_modify_groups' and 'dwps_modify_attributes' - bound to the __invoke() methods of AttributeGroupController and AttributeController - operate on 'spec-group' and attribute taxonomy terms, meaning successful exploitation directly corrupts WooCommerce store business data and breaks frontend product display. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Stored Cross-Site Scripting in the Dokan WooCommerce Multivendor Marketplace plugin for WordPress (all versions through 5.0.4) allows any authenticated vendor-level user to permanently inject arbitrary JavaScript into product SKU fields, which then executes in the browsers of all site visitors - including unauthenticated users - via the store search widget's AJAX response path. The scope change (S:C in CVSS) is critical: the attacker plants the payload once as a vendor, but impact is borne by an unbounded population of end users who trigger the search widget. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; however, the attack surface is wide on marketplaces with open vendor registration.
Authentication bypass in the RegistrationMagic WordPress plugin (all versions through 6.0.8.6) permits an unauthenticated attacker with a prior legitimate payment transaction on the target site to obtain real WordPress session cookies for any user account, including administrators. The flaw exploits a fatally inverted processing order in the PayPal IPN callback handler: attacker-controlled POST data including the target user_id is written to the payment log database before PayPal IPN validation is performed, and the database poisoning persists even after validation subsequently rejects the forged notification. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the account-takeover impact makes this a critical priority for any site running the plugin with active PayPal payment integration.
Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace plugin (all versions through 5.0.4) enables horizontal privilege escalation across vendor accounts via the REST API 'id' parameter. Authenticated attackers holding any vendor-level or subscriber-level account can retrieve full product records belonging to competing vendors, including unpublished draft and pending-review listings that expose product names, prices, SKUs, and descriptions. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Reflected Cross-Site Scripting in the MaxButtons - Create buttons WordPress plugin (versions up to and including 9.8.5) allows unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'view' parameter, executing in the victim's browser context when a crafted URL is clicked. The flaw is traced to insufficient input sanitization in listController.php and maxbuttons-list.php, as confirmed by Wordfence and source-level references in the WordPress plugin repository. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low attack complexity and zero-privilege requirement make social-engineering-based exploitation straightforward.
Unauthenticated form submission data exfiltration in NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) exposes sensitive PII and payment details to any remote attacker. Missing authorization checks on report download endpoints allow sequential enumeration of report IDs without any credentials, enabling mass harvesting of names, email addresses, phone numbers, postal addresses, payment details, and file paths from every saved form report on the site. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the low attack complexity and zero authentication requirement make opportunistic exploitation straightforward.
Broken access control (Insecure Direct Object Reference) in the Paid Member Subscriptions WordPress plugin before 4.16.17 lets any authenticated low-privileged user (Subscriber or above) cancel arbitrary other users' active subscriptions by manipulating the subscription identifier in a subscription-action request. The plugin fails to verify that the requesting account owns the targeted subscription. No public exploit identified at time of analysis, EPSS is low at 0.14% (3rd percentile), and the issue is not in CISA KEV, but the attack is trivial to perform once any account exists on the site.
Account takeover in the Invoice Generator (Pravel) plugin for WordPress through version 1.0.0 lets unauthenticated attackers hijack any account, including administrators. The pravel_invoice_edit_account() AJAX handler is registered for unauthenticated users and calls wp_update_user() with attacker-supplied user_id and user_email without any capability check, nonce, or ownership verification, so an attacker can overwrite an admin's email and then drive the password-reset flow to seize the account. Rated CVSS 9.8 and reported by Wordfence; no public exploit identified at time of analysis and it is not in CISA KEV.
Cross-Site Request Forgery in the HD Quiz WordPress plugin versions 2.2.0 and 2.2.1 enables unauthenticated attackers to manipulate quiz content and plugin settings by tricking a logged-in administrator into clicking a crafted link. The flaw originates in the `hdq_validate_nonce` function (`includes/functions.php:39`), which fails to properly validate WordPress nonces across at least six distinct AJAX action handlers in `includes/actions-ajax.php`. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though Wordfence has published a detailed advisory with source code references for both affected versions.
Stored cross-site scripting in Ivory Search - WordPress Search Plugin (all versions through 5.5.15) allows authenticated WordPress administrators to implant persistent JavaScript payloads via the `menu_title` and `menu_magnifier_color` settings fields, which execute in the browsers of any site visitor loading a page that renders the affected search widget. The root cause is insufficient input sanitization and output escaping in both the admin settings handler (class-is-settings-fields.php:249) and public-facing output routines (class-is-public.php:222, 263, 1199), confirmed via plugin source references on WordPress Trac. No public exploit code has been identified at time of analysis, CISA KEV does not list this CVE, and the CVSS score of 4.4 reflects the high privilege prerequisite rather than the cross-site impact scope.
SQL Injection in the Groundhogg WordPress CRM plugin (all versions through 4.5.5) allows authenticated attackers holding Sales Representative-level access or above to extract arbitrary data from the underlying WordPress database via the `query[select]` REST API parameter. The vulnerability is exploitable through a deliberate sanitization bypass: submitting an invalid filter type in `query[filters]` triggers a FilterException that silently redirects execution from the protected `Contact_Query` path to the unprotected `Legacy_Contact_Query` path. No CISA KEV listing or confirmed public exploit code exists at time of analysis, though Wordfence's advisory directly references vulnerable source lines at plugin version 4.5.5, materially lowering the barrier to independent PoC development.
Stored Cross-Site Scripting in the CodePeople Post Map for Google Maps WordPress plugin (versions through 1.2.6) permits authenticated Contributor-level users to persist malicious JavaScript payloads via the 'cpm_point' post meta field. The CVSS S:C (Scope Changed) flag confirms the injected scripts execute in victim browser sessions beyond the plugin's own context, enabling session hijacking, credential theft, or unauthorized admin actions against any user who visits an injected page. No confirmed active exploitation appears in CISA KEV, and no public exploit code has been identified at time of analysis.
SQL injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin exposes the underlying WordPress database to authenticated attackers holding marketer-level access or higher. The 'search' parameter is insufficiently escaped across at least five distinct code paths - spanning db/db.php, db/steps.php, and api/v4/base-object-api.php - allowing appended SQL payloads to exfiltrate sensitive data including contact records, campaign data, and potentially WordPress user credentials. No public exploit code or CISA KEV listing has been identified at the time of analysis, but the vulnerability is straightforward to exploit with valid credentials given the low complexity rating.
Sensitive data exposure in the Bopo - WooCommerce Product Bundle Builder plugin for WordPress (versions ≤ 1.1.6) allows low-privileged authenticated users to access information that should be restricted to higher-trust roles. The flaw is classified under CWE-497, indicating the plugin exposes sensitive system or application data to an unauthorized control sphere - likely via an improperly protected REST API endpoint or AJAX action lacking appropriate capability checks. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in the Abandoned Cart Lite for WooCommerce WordPress plugin (versions 6.8.0 and below) enables unauthenticated remote attackers to perform unauthorized state-changing actions by luring an authenticated site user into visiting a malicious page. The CVSS score of 4.3 (Medium) reflects a limited integrity impact with no confidentiality or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in FunnelKit Payment Gateway for Stripe WooCommerce plugin (versions up to and including 1.14.0.3) allows a remote unauthenticated attacker to perform unauthorized state-changing actions by tricking an authenticated WordPress user into interacting with a crafted request. The absence of proper CSRF token validation (CWE-352) means any action protected only by session authentication can be forged. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Broken access control in Email Marketing for WooCommerce by Omnisend (versions up to and including 1.19.0) allows authenticated subscriber-level WordPress users to invoke privileged plugin functionality without proper authorization checks. Exploitation requires only a low-privilege WordPress account and no user interaction, enabling unauthorized modification of plugin state and potential availability disruption. No public exploit code or active exploitation has been identified at time of analysis, but the low barrier - subscriber-level access - elevates real-world concern on sites with open user registration.
Improper authorization in the Subscriptions for WooCommerce WordPress plugin (versions 1.9.5 and earlier) lets unauthenticated remote attackers reach functionality that should be access-restricted, enabling unauthorized modification of subscription data. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms network-reachable, no-authentication, low-complexity abuse with a high integrity impact but no confidentiality or availability loss. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Unauthenticated information disclosure in the Print Invoice & Delivery Notes for WooCommerce plugin (versions 7.1.1 and earlier) lets remote attackers retrieve sensitive order data - such as invoices and delivery notes - without any credentials. The CVSS 3.1 score of 7.5 reflects a network-reachable, no-interaction confidentiality breach. No public exploit is identified at time of analysis and it is not listed in CISA KEV, so exploitation appears unproven but trivially feasible given the access profile.
Unauthenticated IDOR in Payment Gateway Based Fees and Discounts for WooCommerce (versions up to and including 3.0.0) allows remote, unauthenticated attackers to manipulate payment gateway fee and discount object references, resulting in unauthorized modification of pricing logic and potential disruption of checkout availability. The CVSS vector (PR:N/UI:N/AV:N) confirms exploitation requires no authentication or user interaction, making this trivially reachable on any exposed WooCommerce storefront running the affected plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, though the unauthenticated entry point lowers the barrier for opportunistic abuse.
Stored/reflected Cross-Site Scripting in the Customer Reviews for WooCommerce WordPress plugin (versions up to and including 5.110.1) lets unauthenticated attackers inject malicious script that executes in a victim's browser when they view the affected page. The CVSS:3.1 vector (AV:N/PR:N/UI:R, scope changed) indicates network-reachable, no-authentication exploitation that requires the victim to interact with attacker-controlled content. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.
Authentication bypass in the CorvusPay WooCommerce Payment Gateway plugin for WordPress (versions 2.7.4 and earlier) lets unauthenticated remote attackers manipulate the payment/integration workflow without valid credentials, per the CVSS 3.1 vector (AV:N/PR:N) and CWE-288. The flaw scores 7.5 with integrity impact only (I:H, C:N, A:N), meaning an attacker can tamper with trusted state - most plausibly forging payment confirmation/callback validation - rather than steal data or take a site down. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.
Arbitrary file upload in Booster for WooCommerce (plugin slug woocommerce-jetpack) versions <= 8.0.1 lets an authenticated customer-level user upload arbitrary files to the WordPress server, enabling web shell deployment and remote code execution. The CVSS 3.1 score of 9.9 reflects a scope change (S:C) where a low-privilege shop customer can fully compromise the underlying host. No public exploit identified at time of analysis; the issue was reported by Patchstack's audit team.
Broken access control in the Paymob for WooCommerce WordPress plugin (versions <= 4.1.2) allows remote unauthenticated attackers to invoke a protected function or action that lacks an authorization check, producing a high integrity impact (CVSS 7.5, CVSS:3.1/.../I:H). The flaw maps to CWE-862 (Missing Authorization), meaning a function reachable over the network performs no capability or ownership validation before acting. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS data was not provided.
Reflected/stored Cross-Site Scripting in the MapPress Maps for WordPress plugin (versions 2.97.3 and earlier) allows an unauthenticated remote attacker to inject malicious JavaScript that executes in the browser of a victim who interacts with a crafted link or page. Because the CVSS scope is changed (S:C), the injected script can act beyond the vulnerable component to affect logged-in users including administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Privilege escalation in the Abandoned Cart Pro for WooCommerce plugin (versions <= 10.4.0) allows an authenticated low-privileged user (Subscriber) to elevate their own permissions and gain higher-privileged capabilities within the WordPress site. The flaw, reported by Patchstack and classified as CWE-266 (Incorrect Privilege Assignment), carries a CVSS 8.8 and is network-exploitable with low complexity once an attacker holds any minimal account. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local File Inclusion in the Splash - Sport Club WordPress theme (versions 4.4.3 and earlier) lets an authenticated Contributor-level user supply a controlled filename to a PHP include/require sink, exposing local server files and potentially escalating to code execution. The flaw was reported by Patchstack and carries a CVSS 7.5; no public exploit identified at time of analysis, and it is not listed in CISA KEV. Exploitation requires an existing low-privilege account and overcomes elevated attack complexity, narrowing realistic abuse to multi-author sites.
Payment bypass in WPEverest's User Registration & Membership WordPress plugin (versions up to and including 5.2.0) allows unauthenticated remote attackers to activate paid memberships without completing payment. The vulnerability stems from missing authorization checks in the confirm_payment() function (CWE-862), which fails to validate that a legitimate payment transaction occurred before granting membership access. No public exploit or CISA KEV listing has been identified at time of analysis, but the attack is low-complexity and requires no authentication, making it trivially reachable by any internet-connected adversary.
Permanent deletion of arbitrary WordPress posts and pages is possible via the Frontend File Manager Plugin (all versions through 23.6), which omits ownership verification before executing delete operations. Any authenticated user holding author-level access or higher can permanently destroy content they do not own; when an administrator enables the 'Allow guest uploads' setting, the same endpoint becomes reachable by completely unauthenticated users. A public proof-of-concept exists via WPScan; no confirmed actively exploited status (KEV), and EPSS sits at just 0.18% (8th percentile), but the unauthenticated attack path under a non-default configuration is the highest-severity scenario.
SQL injection in the SALESmanago & Leadoo WordPress plugin before 3.11.3 allows low-privileged authenticated users to inject arbitrary SQL through an unsanitised parameter passed to a vulnerable AJAX action. Because the action enforces no authorisation check, even subscriber-level accounts can reach it, and the CVSS scope-changed, high-confidentiality rating (7.7) reflects the ability to read data across the WordPress database. Publicly available exploit code exists (WPScan), though EPSS is low (0.16%) and SSVC classifies exploitation as proof-of-concept only, not active.
Information disclosure in the YMC Filter WordPress plugin before 3.11.3 lets unauthenticated remote attackers read the titles and content of private, draft, and other non-public posts by abusing a REST API endpoint that lacks proper authorization and fails to validate a user-supplied query parameter. WPScan reported the flaw, a public exploit exists, and a vendor patch is available; the CVSS 3.1 score is 7.5 reflecting high confidentiality impact with no integrity or availability effect.
Path traversal in Printcart Web to Print Product Designer for WooCommerce (all versions through 2.4.8) exposes arbitrary server directory listings to unauthenticated remote attackers with no interaction required. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial network-based exploitation against any internet-facing WooCommerce store running this plugin. A publicly available exploit exists via WPScan, materially lowering the technical barrier despite the Medium CVSS score of 5.3; no confirmed patched version is available at time of analysis.
SQL Injection in the Groundhogg WordPress plugin (versions up to and including 4.5.4) allows any authenticated WordPress user - regardless of role - to extract sensitive data from the underlying database via the unsanitized 'after' parameter in the contacts table AJAX handler. The critical amplifier here is that the AJAX handler wp_ajax_groundhogg_get_contacts_table has its role capability check commented out and lacks nonce verification, effectively reducing the privilege bar from Sales Manager (as the CVE description initially implies) to any authenticated user including subscribers on open-registration sites. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low exploitation bar and the data exfiltration potential against CRM databases containing customer PII make this a meaningful risk for affected deployments.
Improper access control in PPOM for WooCommerce (all versions through 33.0.18) enables unauthenticated remote attackers to bypass access controls and perform unauthorized operations affecting the integrity and availability of affected WooCommerce stores. Classified under CWE-284 and confirmed as an authentication bypass by Patchstack, the flaw exposes plugin-managed product option data to manipulation or disruption without requiring any credentials. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to CISA KEV.
Sensitive data exposure in the APIExperts Square for WooCommerce WordPress plugin (also known as woosquare) through version 4.7.3 allows remote attackers to retrieve embedded sensitive information that the plugin inserts into data it sends. Reported by Patchstack and rated CVSS 8.3, the flaw stems from CWE-201 (Insertion of Sensitive Information Into Sent Data) and is exploitable without authentication or user interaction per its CVSS vector. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored/reflected Cross-Site Scripting in the Advanced Order Export For WooCommerce WordPress plugin (by AlgolPlus) affects all versions up to and including 4.0.9, letting a remote attacker inject script that executes in the browser of a victim who views attacker-controlled order/export data. The flaw carries a CVSS 7.1 rating driven by a scope change (attacker script runs outside the vulnerable component's security context) and requires victim interaction; there is no public exploit identified at time of analysis and it is not on the CISA KEV list.
Broken Access Control in the UPI QR Code Payment Gateway for WooCommerce plugin (versions <= 1.6.2) allows authenticated low-privilege WordPress users to perform actions or access endpoints reserved for higher-privileged roles, resulting in unauthorized modification of payment data or disruption of payment processing. The flaw, rooted in missing authorization checks (CWE-862), was disclosed by Patchstack and affects sites running WooCommerce with this Knit Pay plugin installed. No public exploit code has been identified at time of analysis, and it has not been confirmed as actively exploited.
Unauthenticated IDOR in License Manager for WooCommerce (versions <= 3.0.15) allows remote, unauthenticated attackers to reference and manipulate arbitrary license records by supplying or iterating object identifiers in plugin requests, yielding integrity and availability impacts on license data. The CVSS vector (PR:N, AV:N, AC:L) confirms no authentication or special conditions are needed, making the attack trivially repeatable against any reachable WooCommerce store running the affected plugin. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
SQL injection in the Premmerce Wishlist for WooCommerce WordPress plugin (versions 1.1.11 and earlier) lets remote unauthenticated attackers inject crafted SQL into backend database queries, per the CVSS PR:N vector. Reported by Patchstack and rated 9.3 (CVSS 3.1), it allows extraction of sensitive WordPress/WooCommerce data such as user records and credential hashes. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and no EPSS score was provided.
Unauthenticated SQL injection in the Tourfic WordPress travel-booking plugin (versions through 2.22.7) lets remote attackers read arbitrary database contents via the 'post_id' parameter of the tf_room_availability AJAX action. Because the action is registered for logged-out users (wp_ajax_nopriv) and the required nonce is publicly emitted on single-hotel pages, no authentication is needed in practice. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Order shipping-destination tampering in the InPost PL WooCommerce plugin (versions before 1.9.1) lets unauthenticated remote attackers silently change the parcel-locker delivery point of any order still in 'pending' or 'processing' status, because the plugin never verifies the request comes from the legitimate buyer. Publicly available exploit code exists and a vendor patch has been released, though this is not listed in CISA KEV (no public exploit identified as actively exploited at time of analysis beyond the published POC). With CVSS 7.5 and an integrity-only impact, the practical risk is shipment redirection / parcel theft rather than data disclosure.
Stored cross-site scripting in the Email Address Encoder WordPress plugin (free, before 1.0.25) and its Email Encoder Premium counterpart (before 0.3.12) lets unauthenticated visitors inject persistent JavaScript through the plugin's flawed email-replacement handling. Publicly available exploit code exists (disclosed by WPScan) and a vendor patch is available, but it is not in CISA KEV, so there is no public exploit identified as actively used in the wild. Successful exploitation executes attacker script in the browser of any user who later renders the affected page, typically an authenticated administrator.
Unauthenticated access to Masteriyo LMS WordPress plugin's course-progress REST API controller exposes all users' learning records to read and permanent deletion. All plugin versions before 2.2.1 are affected due to a missing authorization check on the REST endpoint, meaning any unauthenticated HTTP client can target arbitrary user IDs. A publicly available proof-of-concept exists per WPScan; however, EPSS sits at just 0.14% (3rd percentile), suggesting opportunistic exploitation has not yet materialized at scale despite the low barrier to entry.
Time-based blind SQL injection in the Gravity Forms Booking plugin for WordPress allows authenticated attackers with Subscriber-level access or higher to exfiltrate sensitive data from the underlying WordPress database via the 'staff_id' parameter. All plugin versions through 2.7.1 are affected due to insufficient input escaping and inadequate SQL query preparation on a user-controlled parameter. No public exploit code or active exploitation has been identified at time of analysis, though the low authentication barrier (subscriber-level) meaningfully broadens attacker opportunity on sites with open registration.
SQL injection in the Dokan Pro WordPress multivendor marketplace plugin (all versions ≤ 5.0.4) lets unauthenticated remote attackers inject SQL through the 'latitude' and 'longitude' request parameters, enabling extraction of arbitrary database contents such as user credentials, API keys, and order data. The flaw is time-based (blind) and requires no authentication or user interaction, but no public exploit code or active exploitation has been identified at time of analysis. No EPSS or CISA KEV signal was provided in the source data.
Time-based blind SQL injection in the Dokan Pro WordPress plugin allows network-accessible authenticated attackers with Subscriber-level privileges to extract sensitive data from the underlying WordPress database. The flaw resides in the 'orderby' parameter, which is insufficiently escaped and passed into unparameterized SQL queries across all plugin versions through 5.0.4. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar - any registered subscriber - substantially widens the realistic attacker pool on marketplace and multi-vendor WordPress sites.
Stored Cross-Site Scripting in Essential Blocks for WordPress (all versions through 6.1.4) allows authenticated Contributor-level users to permanently embed malicious JavaScript into pages via the `configurablePrefix` attribute of the Table of Contents block. The payload persists in the database and executes in every subsequent visitor's browser, enabling session hijacking, credential theft, or forced redirects at scale across the site's audience. No public exploit code or CISA KEV listing is present in the available intelligence, but Wordfence's disclosure paired with publicly accessible source-level Trac links substantially lowers the effort required to develop a working exploit.
Authenticated PHP code injection in the AdRotate Banner Manager WordPress plugin (versions ≤5.17.7) allows Contributor-level users to execute arbitrary PHP on the server by abusing the 'banner' attribute of the [adrotate] shortcode. Exploitation requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings, where unsanitized input is concatenated into a PHP string wrapped in mfunc/fragment cache markers. Reported by Wordfence; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Account takeover in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) allows Contributor-level authenticated users to harvest live password reset links for any account, including administrators, by chaining three logic bugs in the member directory subsystem. The flaw enables full site compromise because reset URLs can be used to set new administrator passwords. No public exploit identified at time of analysis, though Wordfence has published detailed technical write-ups that significantly lower the bar for weaponization.
Sensitive information disclosure in the premium Cornerstone page builder (bundled with the X theme) versions 3.0.0 through 7.8.7 allows any authenticated WordPress user to extract raw password hashes and other private user metadata. The CSS-preview request handler fails to enforce capability checks while exposing its required nonce on every wp-admin page, and publicly available exploit code exists per WPScan, though no active exploitation has been reported.
Authenticated information disclosure in the premium Cornerstone page builder (bundled with the X WordPress theme) before version 7.8.9 allows any logged-in user to enumerate other users' metadata via an unprotected REST API route. Disclosed data includes roles, session token previews, and stored billing/shipping fields, enabling account targeting and potential session abuse. Publicly available exploit code exists per WPScan, though there is no public exploit identified as actively used in the wild and the issue is not listed in CISA KEV.
Insufficient REST API authorization in the Site Kit by Google WordPress plugin before version 1.176.0 permits users with dashboard sharing access - such as those granted the Editor role - to write to a site-wide settings endpoint that should be restricted to administrators. The integrity impact is confined to plugin-level configuration, but the flaw is significant because dashboard sharing is commonly granted to non-admin contributors on multi-author sites. A publicly available proof-of-concept exists per WPScan; exploitation probability remains very low (EPSS 0.13%, 3rd percentile) and the vulnerability is not listed in the CISA KEV catalog.
PHP Object Injection in the Post Duplicator WordPress plugin before 3.0.15 lets authenticated users with Contributor-level access or higher inject arbitrary serialized PHP objects by abusing the plugin's post-duplication routine, which copies attacker-controlled custom meta-data without the WordPress meta API's double-serialization safeguard. Successful exploitation can lead to property-oriented programming attacks and, with a suitable gadget chain present, full compromise of the site. Publicly available exploit code exists (WPScan), though the flaw is not listed in CISA KEV and carries a low EPSS score (0.15%, 5th percentile).
Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.
Stored Cross-Site Scripting in the AI Share & Summarize WordPress plugin (all versions before 2.0.4) allows any user holding a Contributor role or above to inject persistent malicious JavaScript via unsanitized shortcode attributes rendered on pages. When a higher-privileged user such as an Administrator subsequently views the affected page, the payload executes in their browser, enabling session hijacking, credential theft, or unauthorized privileged actions. A publicly available proof-of-concept exploit exists per WPScan, and a vendor-released patch is available in version 2.0.4.
Authorization bypass in the RentMy Real-Time Rental Management Plugin for WordPress exposes full CRUD control over rental event records and location configuration to unauthenticated remote attackers, affecting all versions through 4.0.4.1. The root cause is missing authorization checks in the plugin's AJAX handler class (class-rentmy-ajax.php), allowing any unauthenticated visitor to invoke privileged actions via WordPress's standard AJAX endpoint. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the zero-barrier entry point - unauthenticated, network-accessible, low complexity - means any exposed deployment is immediately at risk without requiring attacker sophistication.
Information disclosure in the WP Forms Connector WordPress plugin (versions through 1.8) allows unauthenticated remote attackers to retrieve any user's password hash and email address via the wp/v3/user/list/<id> REST route. The endpoint's permission_callback is hard-coded to __return_true and the bespoke auth check verifies only that the Username header maps to an administrator (typically 'admin') without ever calling wp_check_password() to validate the supplied Password header. No public exploit identified at time of analysis, but the trivial nature of the bypass and the exposure of user_pass hashes make this a credible account-takeover vector.
Cross-Site Request Forgery in the Bulk SEO Image WordPress plugin (versions ≤ 1.1) enables unauthenticated attackers to bulk-overwrite every image ALT-text attribute across all published posts and pages on a target site by tricking an authenticated administrator into visiting a malicious page. The plugin's core handler BulkSeoImage() dispatches to launchbulk() and BulkSeoImageGo() whenever a POST request includes the 'bulkseoimage' parameter, with no wp_nonce_field() emitted in the form and no check_admin_referer() or wp_verify_nonce() call gating execution - confirmed by direct source code review at the plugin's Trac repository. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Reflected Cross-Site Scripting in the Image Sizes on Demand WordPress plugin (versions ≤ 1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized PHP_SELF server variable in settings.php. Successful exploitation requires social engineering an administrator into clicking a crafted link, after which the injected script executes within the admin's authenticated browser session - enabling session hijacking or unauthorized administrative actions. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Unauthenticated mass PII harvesting is possible on any WordPress site running the WhatsOrder - Instant Checkout for WooCommerce plugin (all versions through 1.0.1) because the plugin writes customer invoice HTML files to a publicly accessible directory with no access restrictions. The `yapacdev_generate_order_pdf` function deposits invoices under `wp-content/uploads/whatsorder_invoices/` without generating an `.htaccess` deny rule or `index.php` guard, and because WooCommerce uses predictable sequential order IDs, any remote attacker can enumerate and download every customer invoice with no authentication. Exposed data includes full name, email, phone number, billing address, itemized order contents with pricing, applied coupon codes, shipping method, and order total. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Authorization bypass in the Advance Nav Menu Manager WordPress plugin (all versions through 1.3) permits any authenticated subscriber-level user to manipulate site navigation menus without authorization. The plugin invokes wp_insert_post() for nav_menu_item operations - duplicate, copy, move, and publish - without enforcing capability checks, allowing low-privilege users to alter navigation structure at will. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, the low barrier to exploitation (any registered subscriber account) makes it a meaningful risk on sites with open or compromised user registration.
Stored Cross-Site Scripting in the WP Latest Posts WordPress plugin (versions up to and including 5.0.11) allows authenticated attackers with author-level access to plant persistent JavaScript payloads by crafting malicious image src attributes in post content. The plugin's field() and loop() functions in wplp-front.inc.php extract raw src values via regex and reconstruct HTML img elements or CSS background-image declarations through direct string concatenation, entirely bypassing WordPress's built-in kses sanitization. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the scope change to the victim's browser context enables session hijacking or credential theft against any user who visits an injected page.
Stored Cross-Site Scripting in Avalon23 Products Filter for WooCommerce (≤1.1.6) allows authenticated Contributors to inject persistent JavaScript via the `avalon23_qr` shortcode's `title` and `fixed_link` attributes, which are concatenated unsanitized into single-quoted HTML attributes by `AVALON23_HELPER::draw_html_item()`. The payload is stored in the WordPress database and executes in the browser of any user who subsequently visits an injected page, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in the Mir Blocks and Shortcodes WordPress plugin (versions up to and including 1.0.0) allows authenticated attackers with contributor-level access to permanently inject arbitrary JavaScript into pages via unsanitized shortcode attributes - specifically the 'title' and 'ready_animation_text' parameters of the msc_stats() rendering function. Any site visitor who loads an injected page executes the attacker's script in their browser, enabling session theft, credential harvesting, or in-page content manipulation. No public exploit or CISA KEV listing is confirmed at time of analysis, but the low privilege requirement (contributor) makes this accessible to a broad class of registered WordPress users.
Authenticated information disclosure in the 24liveblog WordPress plugin (versions ≤ 2.2) exposes third-party API credentials - including OAuth access tokens, refresh tokens, account UIDs, and usernames - to any contributor-level WordPress user who opens the block editor. The plugin's lb24_block_enqueue_scripts() function, hooked to enqueue_block_editor_assets, retrieves administrator-configured integration secrets from the WordPress options table and renders them into the page as a JavaScript global object (lb24BlockData) for all non-administrator users, where they are readable via basic browser source inspection. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, but exploitation is trivially simple for any user holding a WordPress contributor account.
Account takeover in the Invoice Generator WordPress plugin (versions through 1.0.0) allows unauthenticated remote attackers to reset the password of any user, including administrators, by abusing the nopriv `pravel_invoice_change_password()` AJAX handler. Reported by Wordfence with a CVSS of 9.8 and tagged for RCE potential via subsequent admin compromise; no public exploit identified at time of analysis, though the trivial nature of the bug makes weaponization straightforward.
Unauthenticated account takeover in the SignUp & SignIn WordPress plugin (versions ≤ 1.0.0) allows remote attackers to reset any user's password - including administrators - via the unauthenticated `pravel_change_password` AJAX action. No public exploit identified at time of analysis, but the trivially-bypassable empty-string comparison and AV:N/AC:L/PR:N/UI:N vector make exploitation essentially one HTTP request. The plugin's small footprint likely keeps EPSS low, but any site running it is fully exposed.
Unauthenticated stored cross-site scripting in the WP Meta SEO WordPress plugin (versions ≤ 4.5.18 by Joomunited) lets remote attackers persist arbitrary JavaScript into the `wp_wpms_links.link_url` database column by sending HTTP requests with a malicious URI to any 404 path. The payload executes in the browser of any administrator who opens the plugin's '404 & Redirects' admin page, enabling session hijacking or admin-on-behalf actions. No public exploit identified at time of analysis; no KEV listing.
{id}' without a permission_callback, which causes WordPress core to expose it publicly with no credential check whatsoever. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis, though the trivial attack mechanics require no specialized tooling.
Cross-Site Request Forgery in the MP Customize Login Page WordPress plugin (all versions ≤ 1.0) enables unauthenticated remote attackers to overwrite login page settings - background, logo URL, image dimensions, button colors, and login message - by tricking a logged-in administrator into submitting a crafted request. The root cause is a doubly defective nonce implementation in enter_mpclp_login_options(): the check is logically inverted (blocking valid nonces while passing invalid ones) and the required action parameter is omitted from wp_verify_nonce(), rendering the entire check dead code. Compounding this, the settings handler is registered on the init hook without any capability gate, so no privilege level is required from the attacker. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Authorization bypass in the Generate Security.txt WordPress plugin (all versions through 1.0.12) allows authenticated attackers with subscriber-level access to delete the site's security.txt file or create the .well-known directory by invoking unprotected AJAX actions directly. The root cause is a failure to verify user capabilities before executing the delete_securitytxt and create_wellknown_folder AJAX handlers, a classic CWE-862 (Missing Authorization) pattern reported by Wordfence. No public exploit or CISA KEV listing has been identified at time of analysis, and with a CVSS score of 4.3 and limited integrity impact, this is a low-urgency but straightforward-to-exploit flaw for any authenticated WordPress user.
Unauthenticated token manipulation in the SearchPlus WordPress plugin (versions up to and including 1.7.1) allows any remote visitor to overwrite or delete the plugin's stored API credentials by invoking two unprotected AJAX callbacks. Both searchplus_save_token_action_callback() and searchplus_reset_token_action_callback() are registered via wp_ajax_nopriv_ hooks and lack both capability checks and nonce validation, making them freely accessible without authentication. No public exploit or active exploitation has been identified at time of analysis, and real-world impact is limited to disruption of the plugin's search functionality or substitution of attacker-controlled account tokens.
Unauthorized token overwrite in the 24liveblog WordPress plugin (versions ≤ 2.2) enables any authenticated user with author-level access or above to hijack the site's 24liveblog service integration. The AJAX handler update_lb24_token() validates only a nonce that is automatically distributed to all block-editor-capable users, but performs no capability check and does not verify that the supplied user_id matches the requester - allowing an author-level attacker to overwrite lb24_token, lb24_uid, lb24_refresh_token, and lb24_uname meta fields for any account including administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, and CVSS rates this as medium-low (4.3), consistent with the authenticated-only, integrity-limited impact.
Unauthenticated SQL injection in the ClearSale Total WordPress plugin (all versions through 3.4.2) allows remote attackers to extract sensitive database contents via the pagseguro[metodo] POST parameter of the clearsale_total_push AJAX action. The flaw is reachable without authentication because the nopriv AJAX handler ships with a commented-out die() in the nonce-failure branch, and on PHP < 8.0 loose type juggling bypasses the switch/case integer guard. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Reflected Cross-Site Scripting in the EntreDroppers WordPress plugin (all versions through 1.1.2) allows unauthenticated attackers to inject arbitrary JavaScript into victim browsers by embedding script payloads in the URL path-info segment, which PHP reflects unsanitized through the PHP_SELF server variable into the form action attribute at EntreDroppers.php line 223. Successful exploitation requires tricking an authenticated WordPress administrator into clicking a crafted link pointing to the /wp-admin/ context, making this a social-engineering-dependent attack. No public exploit code or active exploitation has been identified at time of analysis; no patch has been confirmed from available data.
Server-side request forgery in the Kargo Takip WordPress plugin (versions through 1.2) allows unauthenticated remote attackers to coerce the site into issuing arbitrary HTTP requests via the 'api_url' parameter and to exfiltrate data from internal services. Because the plugin echoes the value of any 'auth' key from the JSON response back to the attacker, it enables direct retrieval of sensitive responses such as cloud instance metadata credentials. No public exploit identified at time of analysis, and the plugin is not listed in CISA KEV.
Cross-Site Request Forgery in the Blue Captcha WordPress plugin (versions ≤ 2.0.1) allows unauthenticated attackers to trigger destructive administrative operations - including plugin uninstall, audit log deletion, Hall of Shame wipe, and arbitrary IP blocklist manipulation - by tricking a logged-in administrator into clicking a crafted link. The root cause is a complete absence of nonce validation (`wp_verify_nonce`, `check_admin_referer`, `check_ajax_referer`) across all admin handler entry points, confirmed by Wordfence with direct source code references. No public exploit has been identified at time of analysis, and no patched version has been confirmed.
Unauthorized settings deletion in the Assistio WordPress plugin (versions ≤ 1.1.2) allows any authenticated Subscriber-level user to invoke the assistio_plugin_delete_assistio_settings() function and wipe critical plugin options, including the 'assistiobot_oauth_settings' OAuth token, breaking the site's Assistio bot integration. The function lacks both WordPress capability verification and nonce validation - two standard WordPress security controls - meaning the authorization boundary is entirely absent. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the CVSS score of 4.3 accurately reflects the limited but real integrity impact against low-privilege authenticated attackers.
Unauthenticated remote attackers can disconnect any WordPress site running the Secufor_OAuth plugin from its linked Secufor identity account by triggering an unprotected action handler that clears the stored OAuth token and login configuration. All plugin versions through 1.0.7 are affected, confirmed by Wordfence and traceable to specific lines in the plugin source. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, though the trivially low attack complexity (AV:N/AC:L/PR:N) means exploitation requires only an HTTP request.
Authorization bypass in the Reviews and Rating - Docplanner WordPress plugin (versions ≤ 1.1.4) allows any authenticated subscriber-level user to invoke privileged plugin actions without proper capability checks. Exploitation enables two distinct abuse paths: triggering server-side outbound scraping of attacker-controlled or arbitrary external URLs with results written to the wp_dp_reviews database table, and dispatching feature-request emails impersonating the site administrator's address. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in the MotorDesk WordPress plugin (all versions ≤ 1.1.2) allows unauthenticated remote attackers to overwrite critical plugin configuration settings by tricking a logged-in administrator into clicking a crafted link. The vulnerable function motordesk_admin_home in motordesk_admin.php lacks proper WordPress nonce validation, meaning the server accepts state-changing POST requests without confirming the administrator intentionally submitted them. No public exploit code has been identified at time of analysis; the CVSS 4.3 Medium score accurately reflects the social-engineering dependency, though the custom template directory path setting warrants secondary scrutiny for potential path traversal chaining.
Privilege escalation in the Welcome Software Publishing WordPress plugin (versions ≤ 0.0.31) allows any authenticated user with Subscriber-level access or above to update arbitrary WordPress options via the nc.setOption XML-RPC method. By modifying the default_role option to 'administrator' and registering a new account, attackers achieve full site takeover. No public exploit identified at time of analysis, but the attack pattern is trivial and well-documented for similar WordPress XML-RPC missing-capability flaws.
Unauthenticated data deletion in the Advanced Contact Form 7 - Compact DB WordPress plugin (versions up to and including 1.0.0) allows any remote attacker to permanently destroy all stored contact form submissions. The root cause is registration of the deletion handler against the `wp_ajax_nopriv_cf7cdb_delete` hook, which WordPress exposes to unauthenticated users, combined with a complete absence of nonce verification, capability checks, and ownership validation before invoking `$wpdb->delete()`. No public exploit or CISA KEV listing has been identified at time of analysis, but exploitation is trivially automatable due to sequential integer primary keys and no authentication barrier.