WordPress
Monthly
Stored cross-site scripting in the Cincopa video and media plug-in for WordPress (versions ≤1.163) allows unauthenticated commenters to inject persistent JavaScript via the [cincopa] shortcode processed by the comment_text filter. Any visitor or administrator viewing the affected post executes the attacker's script in their browser session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SQL injection in the WP Forms Connector WordPress plugin (versions up to and including 1.8) allows unauthenticated remote attackers to extract sensitive database contents via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint. The endpoint is exposed with permission_callback '__return_true' and only validates a 'Username' header against an administrator account without verifying the corresponding 'Password', making the authentication check trivially bypassable. No public exploit identified at time of analysis, but the trivial bypass and unsanitized ORDER BY concatenation make weaponization straightforward.
Server-Side Request Forgery in the WP Meta SEO WordPress plugin (all versions through 4.5.18) enables authenticated contributors to coerce the web server into issuing arbitrary outbound HTTP requests via the `new_link` parameter, with the response status code reflected back through the AJAX JSON response as `status_code`. This status-code oracle allows methodical enumeration of internal network hosts and cloud metadata services (e.g., AWS IMDSv1 at 169.254.169.254), making it particularly dangerous in cloud-hosted WordPress deployments. No public exploit identified at time of analysis, though the vulnerability is confirmed by Wordfence with direct source code references and the technique is well-understood.
Unauthenticated information disclosure in the Devs Accounting WordPress plugin (all versions through 1.2.0) exposes private financial account records to any internet-connected attacker. The REST API endpoint /devs-accounting/v1/get-account/<id> was registered with a permission_callback that unconditionally returns true, entirely bypassing WordPress authorization. By sequentially enumerating integer account IDs, an unauthenticated attacker can harvest account names, bank names, and opening balances for every financial account stored in the plugin. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the trivial attack complexity makes opportunistic automation highly likely.
Cross-Site Request Forgery in the Book a Room Event Calendar WordPress plugin (all versions through 1.9) allows unauthenticated remote attackers to overwrite sensitive plugin configuration - including external database host, credentials, encryption key, and registration URL - by tricking an authenticated administrator into visiting a malicious page. The vulnerability stems from a complete absence of WordPress nonce mechanisms (no wp_nonce_field(), check_admin_referer(), or wp_verify_nonce()) in both the settings form and its handler, meaning any browser-submitted POST during an active admin session is honored unconditionally. No public exploit has been identified at time of analysis, and the plugin is a niche product, limiting real-world blast radius despite the sensitive nature of the overwriteable fields.
Stored cross-site scripting in the Email JavaScript Cloak WordPress plugin (versions ≤1.03) allows authenticated contributors and higher to inject arbitrary JavaScript via unsanitized attributes of the plugin's 'email' shortcode. The payload executes in any visitor's browser that renders the affected page, enabling session theft or site defacement. No public exploit identified at time of analysis, and the plugin is not listed in CISA KEV.
Server-Side Request Forgery in the WordPress URL Preview plugin (all versions through 1.0) allows unauthenticated attackers to coerce the WordPress server into making arbitrary outbound HTTP requests via the 'url' parameter. The flaw, reported by Wordfence and tracked as CWE-918, enables querying or modifying data on internal services reachable from the WordPress host, including cloud metadata endpoints and internal admin panels. No public exploit identified at time of analysis, but the vulnerability is trivially exploitable given AV:N/AC:L/PR:N/UI:N.
Cross-Site Request Forgery in the Osiris Signature Banner WordPress plugin (all versions ≤ 0.5) enables unauthenticated attackers to update plugin settings and inject stored XSS payloads by tricking an authenticated administrator into triggering a forged request. Missing nonce validation across at least four functions (lines 107, 118, 139, and 189 of osiris-signature-banner.php) means any forged cross-origin form submission executed in an active admin session bypasses all server-side origin checks. No public exploit identified at time of analysis and no KEV listing is present, but the stored XSS secondary impact elevates real-world risk above a typical CSRF-only finding.
Stored cross-site scripting in the ARForms WordPress plugin (versions ≤7.1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the `value` parameter of the `arf_save_incomplete_form_data` AJAX endpoint, with the payload executing in an administrator's browser when they view the Partial Filled Form Entries dashboard page. No public exploit identified at time of analysis, though Wordfence's disclosure provides enough technical detail to reproduce the injection. Successful exploitation typically leads to admin account takeover and full WordPress site compromise.
Stored Cross-Site Scripting in the Xpro Addons plugin for WordPress (versions ≤1.7.2) allows authenticated attackers holding author-level or higher roles to permanently embed arbitrary JavaScript via the `custom_attributes` parameter across at least 12 distinct Elementor widget frontend templates. The injected payload executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or administrative account takeover without further attacker interaction. No public exploit identified at time of analysis, though Wordfence has published source-code-level vulnerability locations across multiple widget layout files.
Stored Cross-Site Scripting in the ProfileGrid WordPress plugin (all versions through 5.9.9.2) allows authenticated users with Subscriber-level access to inject persistent malicious scripts via the `pm_author_message` parameter in the private messaging function `pm_send_message_to_author`. The injected payload executes in any user's browser upon visiting the affected page, with a changed scope (S:C) meaning impact can extend to the broader WordPress session context - including potential admin account compromise. No public exploit has been identified at time of analysis, and a partial patch in version 5.9.8.5 does not fully remediate the issue, leaving sites running through 5.9.9.2 exposed.
Unauthenticated file disclosure in the Frontend File Manager Plugin for WordPress (all versions through 23.6) exposes every user-uploaded file to anonymous download via identifier enumeration. The plugin's file download handler fails to properly enforce WordPress nonce validation, stripping the only access control gate between unauthenticated HTTP requests and user-uploaded content. A public proof-of-concept is available via WPScan, and SSVC assessment confirms the attack is automatable - any script that iterates numeric file identifiers can bulk-harvest uploaded documents, images, or sensitive attachments without credentials. Not currently listed in CISA KEV.
Stored Cross-Site Scripting in the Frontend File Manager Plugin for WordPress (versions through 23.6) allows any authenticated subscriber-level user to compromise administrator sessions by injecting malicious script payloads via the frontend file-rename endpoint. The unsanitized filename is persisted as post meta and subsequently rendered unescaped within the WordPress admin File Manager listing, triggering execution whenever an administrator views that interface. A publicly available proof-of-concept exists per WPScan, and no confirmed patched version is identified in available data, making this an unresolved risk for all sites running this plugin at or below version 23.6.
Reflected cross-site scripting in the Simple Basic Contact Form WordPress plugin (all versions through 20250114) allows unauthenticated remote attackers to execute arbitrary JavaScript in a visitor's browser when the victim follows a crafted link or submits a cross-site forged form that triggers a validation error. Publicly available exploit details have been published by WPScan, though the issue is not listed in CISA KEV and no EPSS data is provided in the input.
SQL injection in the Infility Global WordPress plugin before 2.15.19 allows authenticated users with Subscriber-level access or higher to inject arbitrary SQL via unsanitized parameters. Publicly available exploit code exists (WPScan), and a vendor patch has been released, raising the practical risk on sites that allow open user registration. No CISA KEV listing at time of analysis.
Time-based blind SQL injection in the Infility Global WordPress plugin (versions before 2.15.20) enables authenticated attackers holding Editor-level access or higher to extract arbitrary data from the WordPress database. The unsanitized `orderby` and `order` parameters in three admin callbacks - `import_list()`, `url_detail()`, and `file_detail()` - are passed directly into SQL queries without validation or parameterization. A publicly available proof-of-concept exploit exists per WPScan (EUVD-2026-38416), and the CVSS S:C designation confirms that impact extends beyond the plugin itself to the full underlying database; no confirmed active exploitation (CISA KEV) has been documented at time of analysis.
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom Vitepos WordPress plugin before 3.4.2 role to escalate privileges to administrator.
The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices.
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Pie Register WordPress plugin versions before 3.8.4.10 generates account verification tokens with insufficient randomness, enabling unauthenticated remote attackers to predict or enumerate valid tokens and activate registered accounts without receiving the associated verification email. This effectively bypasses the email-as-ownership-proof step in the registration flow, allowing account takeover of any pending registration. A publicly available exploit exists per WPScan; SSVC flags the attack as automatable with partial technical impact, though no confirmed active exploitation appears in CISA KEV at time of analysis.
WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Unauthorized file operations in the Simple File List WordPress plugin (versions through 6.3.7) allow authenticated contributors to delete, move, create folders, and download arbitrary server files by exploiting a missing authorization check on the 'frontmanage' shortcode attribute. The attack is non-trivial but fully described: an attacker creates a draft post embedding the 'eeSFL' shortcode, loads the WordPress post preview endpoint to harvest a valid nonce, then submits file operation requests to ee-list-ops-bar-process.php that bypass the intended privilege checks. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; a patch changeset (3579098) exists in the plugin repository, though the released fixed version is not independently confirmed.
Unauthenticated arbitrary file deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows remote attackers to delete any file the web server can write to, including wp-config.php, which can escalate to remote code execution. The flaw lives in the eeSFL_DeleteFile function and is reachable via the simplefilelist_edit_job AJAX action registered through wp_ajax_nopriv_, with the is_admin() guard rendered ineffective because that function always returns true on admin-ajax.php. No public exploit identified at time of analysis, but the trivial reachability and high-value target (WordPress) make weaponization straightforward.
Arbitrary file modification and deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows unauthenticated remote attackers to alter or remove files on the server. The flaw stems from a broken authorization guard where an is_admin() check short-circuits before the AllowFrontManage setting is evaluated, leaving every installation exposed regardless of configuration. No public exploit identified at time of analysis, but the bug is reachable on default settings and was disclosed by Wordfence.
Arbitrary file deletion in the Database for Contact Form 7, WPforms, Elementor forms WordPress plugin (versions ≤1.5.1) allows remote unauthenticated attackers to poison form entries with traversal payloads that, when later viewed by an administrator, delete arbitrary server files and can be escalated to remote code execution by removing wp-config.php. Reported by Wordfence with publicly available exploit code exists via the Wordfence advisory; no public exploit identified at time of analysis as weaponized in-the-wild attacks, and the issue is not in CISA KEV.
Unauthenticated account takeover in the Branda (white-labeling) plugin for WordPress through version 3.4.29 allows remote attackers to reset arbitrary user passwords, including administrators, by abusing a password update flow that fails to verify the requester's identity. Wordfence-reported flaw is tracked as CVE-2026-11551 with a CVSS 9.8; no public exploit identified at time of analysis, but the trivial exploitability of the vulnerable signup-password module makes weaponization straightforward once the patched code is diffed.
Authorization bypass in the WP Go Maps WordPress plugin (all versions up to and including 10.1.01) permits unauthenticated remote attackers to insert arbitrary records into plugin-managed database tables - maps, markers, circles, polygons, polylines, rectangles, and point labels - by exploiting a race condition between namespace validation and query execution in the plugin's REST API. The flaw exists because the WPGMZA prefix check in the phpClass parameter validation passes for legitimate plugin classes such as WPGMZA\Map and WPGMZA\Marker, which trigger a SQL INSERT into the corresponding table before the route rejects the request. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the unauthenticated network vector and low attack complexity make it trivially abusable against the wide WordPress install base.
Unauthorized subscription data exposure in the 2Download Connector for 2DL Hosted Checkout WordPress plugin allows unauthenticated network attackers to read arbitrary customers' subscription records - including subscription status, product names, order IDs, purchase dates, and expiry dates - across all versions up to and including 0.1.5. The root cause is a missing authorization check in the plugin's shortcode handlers (Shortcodes.php), meaning any unauthenticated HTTP request can trigger the data-retrieval logic without identity verification. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Unauthenticated REST API webhook manipulation in the STRABL checkout plugin for WordPress (all versions through 4.5) allows any remote attacker to commit payment fraud, manipulate WooCommerce order states, create customer-role user accounts, issue arbitrary refunds, cancel orders, and apply chargeback fees - all without credentials or payment. The root cause is a WordPress REST endpoint registered at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which bypasses all authentication by design. No public exploit code or KEV listing is confirmed at time of analysis, but the vulnerability is trivially exploitable given the open endpoint and well-documented attack surface.
Missing authorization controls in the WP Hotel Booking WordPress plugin (all versions before 2.3.1) expose sensitive hospitality business data to any authenticated Subscriber-level user. Affected AJAX handlers lack WordPress capability checks, enabling low-privilege users to read other guests' booking line items, enumerate active coupon codes, and access internal pricing data across the entire site. A public proof-of-concept exploit exists per WPScan; while not confirmed actively exploited in CISA KEV, the low authentication barrier and publicly available exploit represent meaningful real-world risk for any hotel or hospitality site with user registration enabled.
Unauthenticated remote code execution in BetterDocs Pro for WordPress (versions through 3.8.0) is achievable by abusing the `doc_style` parameter to include arbitrary local PHP files. Wordfence has assigned a critical 9.8 CVSS score, and while no public exploit identified at time of analysis, the unauthenticated network-reachable nature of the flaw on a widely deployed WordPress documentation plugin makes opportunistic mass-exploitation likely once details propagate.
Stored Cross-Site Scripting in the Blocksy Companion WordPress plugin (all versions through 2.1.45) enables authenticated users with editor-level privileges or above to inject persistent JavaScript payloads via admin settings in the product-reviews extension, executing silently in any site visitor's browser on page load. Exploitation is gated by two mandatory deployment conditions - WordPress multisite networks or installations where unfiltered_html has been explicitly disabled - materially narrowing the real-world attack surface beyond what the network-accessible CVSS vector alone implies. No public exploit has been identified and this CVE does not appear in the CISA KEV catalog at time of analysis; an upstream patch commit (changeset 3576066) exists but the exact fixed release version is not independently confirmed from available data.
Unauthenticated personal data exfiltration in WP DSGVO Tools (GDPR) plugin for WordPress (≤3.1.39) allows any remote attacker to trigger immediate Subject Access Request (SAR) fulfillment for an arbitrary victim email, receiving tokenized download links in the HTTP response that expose WordPress account details, comment history, email addresses, and IP addresses. The plugin's CSRF nonce - the only gate protecting this action - is publicly rendered by the SAR shortcode form and shared across all anonymous visitors, rendering it entirely ineffective as an access control mechanism. No active exploitation is confirmed (not in CISA KEV) and no public POC is confirmed at time of analysis, though the Wordfence advisory includes direct source code references identifying the exact vulnerable code paths.
Arbitrary file deletion in the Avada (Fusion) Builder WordPress plugin through version 3.15.3 allows remote unauthenticated attackers to delete any file on the server via path traversal in the maybe_delete_files function, which commonly escalates to remote code execution when wp-config.php is removed and WordPress enters setup mode. Wordfence reports the flaw is reachable through the wp_ajax_nopriv_fusion_form_submit_ajax handler on sites that have a published Avada form saving entries to the database. No public exploit identified at time of analysis, but the CVSS 9.1 score reflects trivial network exploitation with no authentication or user interaction.
Arbitrary file read in Royal Addons for Elementor versions 1.7.1058-1.7.1059 allows authenticated attackers with Contributor-level access to retrieve the contents of any file readable by the PHP process - including wp-config.php and its database credentials - via a crafted wpr-data-table widget saved through Elementor's save_builder endpoint. The flaw is a regression: the vulnerable wpr_get_csv_handle() helper was itself introduced in version 1.7.1058 as the remediation for a prior CVE (CVE-2026-6229), meaning the security patch introduced a new, exploitable path. No public exploit has been identified at time of analysis, but the low privilege bar (Contributor) and high-value disclosure target (database credentials) elevate real-world risk on WordPress sites that permit open or low-friction contributor registration.
Server-Side Request Forgery in the Bit Integrations WordPress plugin (all versions through 2.8.7) allows unauthenticated attackers to force the web server to issue arbitrary HTTP requests to internal or external locations via the upload_attachment function. Exploitation enables querying and modifying data from internal services reachable by the web server, including metadata services in cloud environments, internal APIs, or private network endpoints. No public exploit is identified at time of analysis, but the attack requires only a default integration configuration, substantially lowering the practical barrier to exploitation.
Server-Side Request Forgery in the Advanced Import WordPress plugin (all versions through 1.4.6) allows authenticated users holding Author-level access or higher to force the web server to issue HTTP requests to arbitrary internal or external URLs via the demo_download_and_unzip() AJAX handler. The critical design flaw is the inconsistent use of wp_remote_get() instead of WordPress's own wp_safe_remote_get() - which the plugin correctly employs elsewhere - meaning no SSRF-aware URL validation is applied to the 'demo_file' POST parameter when 'demo_file_type' is set to 'url'. No public exploit code has been identified at time of analysis, but the scope change in the CVSS vector reflects that successful exploitation escapes the WordPress application boundary and can reach internal network services, including cloud instance metadata endpoints such as AWS IMDSv1.
Sensitive information exposure in the Bogo WordPress plugin through version 3.9.1 allows authenticated users with subscriber-level access to extract the raw title, body content, excerpt, and password of any private, draft, or password-protected post by abusing the translation duplication endpoint. The REST API handler bogo_rest_create_post_translation enforced only a locale-access capability check, which all authenticated users can satisfy, and returned raw post field values in the API response without verifying whether the requestor had read or edit rights over the source content. No public exploit code or active exploitation (CISA KEV) is confirmed at time of analysis, though the attack path is straightforward for any authenticated WordPress user.
Stored Cross-Site Scripting in BetterDocs WordPress plugin (versions ≤4.5.3) allows authenticated contributors to inject persistent malicious scripts via the unescaped blockId attribute of the betterdocs/category-slate-layout Gutenberg block. The injected payload executes in the browser of any visitor who loads the compromised page, enabling session hijacking, credential theft, or admin-level privilege escalation against site operators. No public exploit identified at time of analysis, but the contributor-level authentication threshold makes this accessible on any WordPress site permitting open or shared content authorship.
Arbitrary file read via path traversal in the Woosa - Marktplaats for WooCommerce WordPress plugin (versions up to and including 2.0.4) permits authenticated WordPress administrators to escape the plugin's log directory and access any file readable by the web server process, including the sensitive wp-config.php file. The flaw exists in the render_logs_ui() function within class-module-logger-hook-settings.php, which decodes a base64-supplied filename from the log_file GET parameter and concatenates it with the log directory path without any boundary enforcement. No public exploit code or active exploitation has been identified at time of analysis; the attack surface is meaningfully constrained by the Administrator-level privilege requirement (PR:H), though successful exploitation could cascade into full site compromise via exposed database credentials.
Stored Cross-Site Scripting in the Creavi Appointment Booking Calendar plugin for WordPress (all versions through 1.4.4) allows authenticated attackers holding Author-level access or higher to permanently inject arbitrary JavaScript via unsanitized custom booking field labels. The malicious payload executes in the browser of any user who subsequently visits a page containing the injected booking form, enabling session hijacking, credential harvesting, or malicious redirects against site visitors and administrators alike. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis, though a fix commit is available in the WordPress plugin Trac repository.
Missing authorization in the Classified Listing WordPress plugin (versions through 5.4.2) allows authenticated attackers with Subscriber-level accounts to overwrite the featured image of any listing on the site, regardless of ownership. The vulnerability originates in the rtcl_fb_gallery_image_update_as_feature AJAX handler, which accepts arbitrary user-supplied listing IDs and attachment IDs while relying solely on a nonce that is freely accessible to all logged-in frontend users - providing no meaningful access barrier for low-privilege accounts. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in CISA KEV.
Cross-Site Request Forgery in the User Admin Simplifier WordPress plugin (all versions up to and including 3.0.0) enables unauthenticated remote attackers to permanently delete any user's stored admin menu and admin-bar configuration by tricking a logged-in site administrator into submitting a forged request. The flaw exists because the `useradminsimplifier_options_page` function performs no valid nonce check before invoking `uas_save_admin_options()`, which unconditionally overwrites the `useradminsimplifier_options` database entry. No public exploit code has been identified at time of analysis, and this CVE does not appear in CISA's Known Exploited Vulnerabilities catalog.
Stored Cross-Site Scripting in the Slideshow Gallery LITE WordPress plugin (all versions through 1.8.5) allows authenticated attackers with Contributor-level access to persistently inject arbitrary JavaScript via the 'alwaysauto' shortcode attribute, which then executes in the browser of any user who visits the affected page. The root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes, a classic CWE-79 pattern. The scope change in the CVSS vector (S:C) reflects that the injected script runs outside the plugin's security context - in victim users' browsers - enabling session hijacking, credential theft, or admin account takeover. No public exploit or CISA KEV listing has been identified at time of analysis.
Stored Cross-Site Scripting in the Fancy Testimonials WordPress plugin (all versions ≤ 1.0, by dijitul) permits any authenticated Contributor-level user to persist arbitrary JavaScript via the 'author' attribute of the [testimonial] shortcode, which executes in every subsequent visitor's browser context. The CVSS scope change (S:C) reflects that injected scripts operate within the victim's browser session — enabling session hijacking, credential theft, or malicious redirects targeting site visitors and administrators alike. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the attack technique is trivially reproducible given knowledge of the shortcode parameter.
Sensitive customer PII exposure in the Appointment Booking Calendar WordPress plugin (versions up to and including 1.4.01) allows any authenticated user with Contributor-level access to exfiltrate booking records from calendars they do not own. The root cause is an IDOR (Insecure Direct Object Reference) in the cpabc_appointments_calendar_load2() function: the function enforces only a broad role check (edit_posts capability) without verifying that the requesting user owns the calendar ID supplied via the id parameter. Exposed records include customer names, email addresses, phone numbers, booking times, and freeform comments, making this a meaningful PII breach risk on multi-author WordPress installations. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.
Server-Side Request Forgery in the CF7 to Webhook WordPress plugin (versions up to and including 5.0.0) allows unauthenticated attackers to coerce the WordPress server into issuing arbitrary outbound HTTP requests through the pull_the_trigger functionality. Exploitation is conditional on an administrator configuring the webhook URL with a Contact Form 7 field placeholder inside the host portion of the URL, with the form publicly reachable. No public exploit identified at time of analysis, and there is no CISA KEV listing for this vulnerability.
Stored Cross-Site Scripting in PowerPress Podcasting plugin by Blubrry (WordPress, versions ≤ 11.16.8) allows authenticated attackers with Author-level access to plant persistent JavaScript payloads via the 'embed' Episode Meta Field, executing in every visitor's browser on affected episode pages. The vulnerability is architecturally significant because the embed value is written through `update_post_meta()` rather than WordPress's post content pipeline, causing kses sanitization to be skipped entirely - bypassing the role-based XSS mitigations that WordPress normally enforces even for Author-role users who lack the `unfiltered_html` capability. No public exploit or CISA KEV listing has been identified at time of analysis, though the low authentication barrier (Author level) makes multi-author WordPress sites an elevated-risk target.
Reflected Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (versions ≤ 4.3.6) enables unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'tab' parameter in the admin settings page. Exploitation is constrained by a critical precondition: the vulnerable `plugin_options_page()` function is rendered exclusively in the WordPress admin dashboard, meaning the targeted victim must hold Shop Manager-level access or higher and be socially engineered into clicking a crafted link while authenticated. No public exploit code or CISA KEV listing has been identified at time of analysis; this is a no public exploit identified at time of analysis scenario reported by Wordfence.
Insecure Direct Object Reference in the UsersWP WordPress plugin (versions through 1.2.63) allows authenticated editor-level users to permanently delete or reset the avatar and banner images of any WordPress user account, including site administrators, by supplying an arbitrary user_id parameter. The vulnerability lies in missing authorization validation on the user_id key within image management handlers across class-forms.php, class-userswp.php, and class-profile.php, directly manipulating the uwp_usermeta table. No public exploit has been identified at time of analysis, and real-world severity is constrained by the high-privilege authentication prerequisite.
Stored Cross-Site Scripting in the Customize My Account For WooCommerce WordPress plugin (versions up to and including 4.3.6) allows authenticated attackers with Contributor-level access to inject persistent JavaScript payloads via the 'sysbasics_user_avatar' shortcode. The flaw originates in the wcmamtx_get_avatar_default() function, which concatenates unescaped user-supplied shortcode attributes (min_height, min_width, max_height, max_width) directly into the get_avatar() extra_attr style attribute, bypassing sanitization entirely. No active exploitation is confirmed in CISA KEV and no public exploit has been identified at time of analysis, though Wordfence has published full technical details including the vulnerable source lines.
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote code execution on any WordPress server running an affected installation whose form fields have an empty extension allowlist. The vulnerability is reachable via an unauthenticated AJAX endpoint, requires no privileges or user interaction, and a publicly available proof-of-concept exploit exists per WPScan. Despite the plugin's limited adoption, the combination of a public exploit, zero authentication requirement, and full server-side code execution makes this a materially higher-risk issue than the vendor-assigned CVSS score of 6.5 suggests.
Stored Cross-Site Scripting in the Orbit Fox WordPress plugin (ThemeIsle) allows authenticated administrators to inject persistent malicious scripts into pages served to any visiting user. Affected are all versions through 3.0.6, but only under specific deployment conditions: WordPress multisite networks or installations where the unfiltered_html capability has been explicitly disabled. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 4.4 reflects the elevated prerequisites and limited per-incident impact, though scope-changed XSS can still enable session theft and secondary phishing in affected deployments.
Stored Cross-Site Scripting in the bplugins Services Section Block WordPress plugin (all versions through 1.4.4) enables authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'link' block attribute. The payload evades wp_kses_post sanitization by embedding inside HTML comments at save time, then executes from two rendering paths - the primary service link anchor and a secondary title-wrapped anchor - when the linkIn option is set to 'title'. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the scope-changed (S:C) nature means injected content executes in any site visitor's browser session, enabling session hijacking or credential theft at scale.
Cross-Site Request Forgery in the Optimole WordPress plugin (all versions through 4.2.6) allows unauthenticated remote attackers to overwrite existing media attachment files by forging multipart POST requests targeting the replace_file function, provided the attacker can socially engineer a WordPress user with at least Author-level access into clicking a crafted link. The missing nonce validation in the attachment_edit.php handler means the server cannot distinguish legitimate requests from forged ones, enabling arbitrary content injection into any attachment the victim can edit. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the Wordfence disclosure provides full technical detail including source line references, lowering the bar for weaponization.
Authorization bypass in the Simple Membership WordPress plugin (≤4.7.5) enables unauthenticated remote attackers to forcibly deactivate any member account by submitting a forged Stripe charge.refunded webhook payload carrying a known victim subscription ID. The plugin's webhook handler skips HMAC signature verification when the stripe-webhook-signing-secret option is absent - the default installation state - accepting the forged event as legitimate and setting the target account_state to 'inactive', firing cancellation hooks, recording a transaction status change, and dispatching a cancellation notification email. No public exploit has been identified at time of analysis, and no KEV listing exists, but the zero-prerequisite network attack path against default-configured sites elevates practical risk above the 5.3 CVSS score suggests.
SQL injection in Tutor LMS (WordPress plugin by Themeum) exposes the underlying database to read-access by any authenticated administrator. The flaw resides in the withdrawal-request management flow - specifically WithdrawModel.php and withdraw_requests.php - where a 'data' parameter is passed to SQL queries without adequate escaping or parameterization. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the data-exposure impact (C:H) is real, and a patched release (3.9.12) is confirmed in the WordPress plugin repository.
Unauthorized cross-teacher quiz rule tampering in the PressPrimer Quiz WordPress plugin (all versions ≤ 2.3.0) is possible via an IDOR flaw in the plugin's REST API, where the `rule_id` parameter is accepted without ownership validation. Any authenticated user holding a custom-level role or above - such as a teacher - can supply arbitrary `rule_id` values to modify or delete quiz rules belonging to other teachers. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV; the CVSS 3.1 score of 4.3 (PR:L, I:L) reflects the authentication requirement and integrity-only impact.
SQL Injection in the Advanced Order Export For WooCommerce WordPress plugin (versions up to and including 4.0.10) allows authenticated shop managers to append arbitrary SQL to existing queries via the unsanitized 'sort_direction' parameter, enabling full read-access to the WordPress database. Wordfence confirmed the flaw, which is compounded by the plugin's deliberate stripping of WordPress magic quotes protection through stripslashes_deep(), permitting SQL metacharacters to reach the query context intact. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Sensitive information exposure in Kadence Blocks (WordPress plugin) versions up to and including 3.7.5 allows authenticated contributors to read the site's Kadence license key, license owner email, api_key, api_email, and license domain directly from the browser console via the JavaScript global window.kadence_blocks_params.proData. The credentials are serialized client-side through the editor_assets_variables mechanism and require no server-side manipulation to extract. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
SQL injection in the Form Maker by 10Web WordPress plugin exposes the WordPress database to authenticated admin-level attackers via the unsanitized 'groupids' parameter. All plugin versions through 1.15.43 are affected across multiple code paths in WDW_FM_Library.php and Generete_csv.php. No active exploitation is confirmed (not in CISA KEV), and exploitation is constrained by the administrator privilege requirement, though the high confidentiality impact from unrestricted database read access remains a meaningful concern for multi-tenant or shared WordPress environments.
Unauthenticated sensitive information exposure in the Event Koi Lite WordPress plugin (all versions through 1.3.13.1) allows any remote visitor to retrieve private, draft, and pending event data via the unprotected get_events API endpoint. Exposed data includes virtual meeting URLs, physical venue addresses, GPS coordinates (latitude/longitude), Google Maps links, and RSVP configuration - all belonging to events deliberately kept out of public view. The root cause is CWE-862 (Missing Authorization): the get_events handler performs no publication-status or capability check before returning event records. No public exploit identified at time of analysis, but the endpoint is trivially callable by any unauthenticated HTTP client.
Remote code execution in the Offload, AI & Optimize with Cloudflare Images WordPress plugin (versions ≤1.10.2) allows authenticated Author-level users to inject PHP into wp-config.php via the 'account-id' or 'api-key' parameters of the cf_images_do_setup AJAX handler. The handler enforces only the upload_files capability instead of manage_options, and a single-quote escape flaw lets attackers break out of a PHP string literal during the define() write. No public exploit is identified at time of analysis, but the vulnerability is reported by Wordfence with detailed root-cause analysis.
Unauthenticated CSV export of form submission data in the FireBox Popups WordPress plugin (versions up to and including 3.1.7) exposes full personally identifiable information collected by any form on the site. The flaw lies in an unprotected endpoint that accepts a `form_id` parameter without authentication or authorization checks, allowing any remote attacker to enumerate form IDs and download complete submission records. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis, but the trivial exploitation conditions and PII exposure make this a meaningful privacy and compliance risk for affected WordPress deployments.
SQL Injection in the Form Maker by 10Web WordPress plugin (all versions up to and including 1.15.43) enables authenticated administrators to append arbitrary SQL clauses via the unsanitized 'name' parameter in the admin-side data selection interface, permitting full read access to the underlying WordPress database. The CVSS vector confirms a high confidentiality impact (C:H) but no integrity or availability impact, scoped exclusively to the vulnerable system. No active exploitation is confirmed (not listed in CISA KEV), no public POC has been identified at time of analysis, and the mandatory administrator-level authentication prerequisite substantially constrains real-world mass exploitation risk.
Authorization bypass in Equalize Digital Accessibility Checker for WordPress (all versions ≤ 1.42.1) allows authenticated author-level users to dismiss, ignore, or restore accessibility audit records belonging to posts they do not own. The flaw lies in the plugin's REST API handler accepting the attacker's own issue ID as a sufficient authorization token, and the `largeBatch=true` parameter then triggers a bulk operation that propagates the action across all site-wide issues sharing the same 'object' value - including those on administrator-owned posts. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV; however, the Wordfence advisory includes direct source code references confirming the vulnerable logic.
Privilege escalation in the E2Pdf - Export Pdf Tool for WordPress plugin (versions ≤ 1.32.26) allows authenticated low-privilege users with the e2pdf_templates capability to overwrite arbitrary WordPress options and elevate themselves to administrator. The flaw stems from the screen_action() function lacking a capability check and nonce verification, letting attackers pass attacker-controlled option names and values directly to update_option(). No public exploit identified at time of analysis, but the issue was disclosed by Wordfence with detailed source-line references making weaponization straightforward.
Insecure Direct Object Reference across six AJAX handlers in the Dokan multivendor marketplace plugin for WordPress allows authenticated vendor-level users to manipulate arbitrary marketplace orders they do not own, in all versions up to and including 5.0.3. Affected operations include changing order status, injecting customer-facing notes that trigger WooCommerce notification emails to buyers, deleting any order note or WordPress comment by raw ID, inserting fraudulent shipping tracking data, and granting or revoking downloadable product access on any order in the installation. The nonce-based CSRF protection provides no ownership barrier because vendors legitimately generate valid nonces from their own dashboard pages and can replay them against any order ID - no public exploit identified at time of analysis, though vulnerable code paths are confirmed in source at version 5.0.1 by Wordfence.
Blind SQL injection in the Cargo RD 'Cargo Shipping Location for WooCommerce' WordPress plugin (versions up to and including 5.6) allows remote unauthenticated attackers to inject arbitrary SQL via unsanitized input passed to backend database queries. The flaw carries a CVSS 3.1 base score of 9.3 (Critical) due to its network-reachable, no-privilege, no-interaction profile and scope-changed confidentiality impact, and no public exploit identified at time of analysis.
PHP Object Injection in the Entrepreneur - Booking for Small Businesses WordPress theme through version 3.1.3 allows authenticated subscriber-level users to trigger unsafe deserialization, potentially leading to full site compromise. The flaw was disclosed via Patchstack and carries a CVSS 3.1 base score of 8.8 reflecting high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Unauthenticated local file inclusion in the ThemeREX LuxMed Medicine & Healthcare Doctor WordPress theme versions 1.2.2 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server. The flaw is CWE-98 (improper control of filename for include/require) and carries CVSS 8.1 (high), though attack complexity is high; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Unauthenticated privilege escalation in the ThemeGrill Registration Form for WooCommerce WordPress plugin (versions <= 1.0.9) allows remote attackers to elevate privileges without credentials, potentially gaining administrative control over the WordPress site. With a CVSS of 9.8 and no public exploit identified at time of analysis, the flaw is reported by Patchstack and tagged as a Privilege Escalation issue in the WordPress plugin ecosystem.
Unauthenticated broken access control in the WooCommerce Anti-Fraud WordPress plugin by OPMC (versions ≤ 7.2.6) allows remote unauthenticated attackers to perform unauthorized actions against the anti-fraud layer of WooCommerce stores. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no credentials or user interaction are required, and CWE-862 (Missing Authorization) identifies the root cause as absent capability or permission checks on one or more plugin endpoints. With integrity (I:L) and availability (A:L) impacts, attackers could potentially interfere with or circumvent fraud detection logic, enabling fraudulent orders to pass undetected or disrupting store operations. No public exploit code has been identified and CISA KEV listing is absent at time of analysis.
Broken authentication in WooCommerce Dropshipping plugin versions 5.2.4 and earlier allows unauthenticated remote attackers to bypass authentication controls via an alternate path or channel (CWE-288), yielding partial confidentiality and integrity impact on affected WordPress e-commerce installations. Reported by Patchstack, the flaw is confirmed at CVSS 6.5 Medium with a fully network-accessible, zero-complexity attack path requiring no privileges or user interaction. No public exploit code or CISA KEV listing exists at time of analysis, moderating real-world urgency despite the low exploitation barrier.
Unauthenticated PHP object injection in the WooCommerce Product Filters WordPress plugin (versions prior to 2.0.6) allows remote attackers to deserialize attacker-controlled data and trigger PHP magic methods on existing application gadgets. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and CWE-502 root cause, successful exploitation can lead to remote code execution, arbitrary file operations, or full site takeover depending on available POP chains in WordPress core or co-installed plugins. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated broken access control in PremiumPress WordPress Dating Theme through version 11.2.0 allows remote attackers to reach restricted functionality without credentials, resulting in high confidentiality impact and limited integrity and availability impact. The flaw was disclosed via Patchstack and currently has no public exploit identified at time of analysis, but the network-reachable, no-interaction vector (AV:N/AC:L/PR:N/UI:N) makes opportunistic abuse against exposed sites realistic. No CISA KEV listing or EPSS score is provided in the input.
Cross-Site Request Forgery in PremiumPress WordPress Dating Theme versions 11.2.0 and earlier allows remote attackers to coerce authenticated victims into performing unintended state-changing actions, with Patchstack documenting an account takeover path. The CVSS 8.8 rating reflects high impact on confidentiality, integrity, and availability when a targeted user is tricked into visiting attacker-controlled content. No public exploit identified at time of analysis and the theme has not been listed in CISA KEV.
SQL injection in the WooCommerce Frontend Manager - Ultimate WordPress plugin (versions prior to 6.7.7) allows authenticated subscriber-level users to inject SQL via plugin-handled input, exposing database contents and enabling limited data tampering on affected WooCommerce sites. The CVSS 8.5 rating reflects a scope change reaching the underlying database with high confidentiality impact. No public exploit identified at time of analysis.
Arbitrary file download in the WooCommerce Book Price WordPress plugin (versions 1.3 and earlier) allows remote attackers to retrieve arbitrary files from the underlying server filesystem via path traversal. The CVSS vector indicates network-reachable exploitation without authentication or user interaction, yielding high confidentiality impact with no integrity or availability effects. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SQL injection in the Events Schedule - WordPress Events Calendar plugin (versions <= 2.7.2) by CurlyThemes allows authenticated users with Subscriber-level privileges to inject arbitrary SQL into backend database queries. Because the CVSS scope is Changed with high confidentiality impact, a successful attacker can read data beyond the plugin's intended boundary, potentially exfiltrating WordPress user hashes and site secrets. No public exploit identified at time of analysis, and the issue is reported by Patchstack.
Unauthenticated arbitrary file upload in the Extendons 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' (versions <= 1.0.7) lets remote attackers upload arbitrary files, including PHP webshells, to vulnerable WordPress sites and gain code execution. The CVSS 10.0 score with Scope:Changed reflects that compromise of the plugin can escalate to full host takeover, though no public exploit was identified at time of analysis and the flaw is not listed in CISA KEV.
Arbitrary file deletion in QuantumCloud WPBot Pro WordPress Chatbot plugin versions 13.6.5 and earlier allows authenticated subscriber-level users to delete arbitrary files on the WordPress host via a path traversal flaw. With no public exploit identified at time of analysis, the issue still carries elevated risk because exploitation requires only the lowest-privilege WordPress role, which is auto-grantable on sites that allow open registration. Deleting files such as wp-config.php can trigger the WordPress install routine and lead to full site takeover.
Unauthenticated arbitrary file download in the Premium Age Verification / Restriction for WordPress plugin (versions ≤ 3.0.2) allows remote attackers to retrieve arbitrary files from the underlying server without any credentials or user interaction. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability impact, consistent with file disclosure rather than code execution. There is no public exploit identified at time of analysis and the issue is not present in CISA KEV, but Patchstack has confirmed the flaw against a default plugin installation.
Privilege escalation in the Contest Gallery WordPress plugin (versions ≤ 30.0.2) allows authenticated Contributor/Author-level users to overwrite the stored RegistryUserRole option to 'administrator', causing newly registered Google sign-in accounts to be promoted to Administrator. The flaw was disclosed by Wordfence and stems from a missing capability check in the option-saving handler; no public exploit identified at time of analysis.
PHP Object Injection in the Counter Box WordPress plugin (all versions through 2.0.13) allows authenticated administrators to deserialize attacker-controlled input via the plugin's import functionality, with deserialization triggered automatically on the post-import redirect and again when any imported item is opened for editing. The vulnerability carries no standalone impact - exploitation is entirely contingent on a Property-Oriented Programming (POP) chain being present in a separately installed plugin or theme, at which point an attacker could achieve arbitrary file deletion, sensitive data retrieval, or remote code execution. No public exploit is identified at time of analysis, and the CVSS AC:H and PR:H ratings reflect both the administrative access requirement and the environmental dependency on co-installed POP chain software.
Stored Cross-Site Scripting in the Permalink Manager Lite WordPress plugin (all versions through 2.5.3.3) allows authenticated contributors to inject persistent JavaScript into the admin URI Editor interface via crafted post titles. The payload executes in the browser of any administrator who subsequently visits the Permalink Manager page, enabling session hijacking or unauthorized admin-level actions. No active exploitation is confirmed in CISA KEV, and no public exploit code has been identified at time of analysis; vendor-released patch 2.5.3.4 is available.
Stored cross-site scripting in the Cincopa video and media plug-in for WordPress (versions ≤1.163) allows unauthenticated commenters to inject persistent JavaScript via the [cincopa] shortcode processed by the comment_text filter. Any visitor or administrator viewing the affected post executes the attacker's script in their browser session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SQL injection in the WP Forms Connector WordPress plugin (versions up to and including 1.8) allows unauthenticated remote attackers to extract sensitive database contents via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint. The endpoint is exposed with permission_callback '__return_true' and only validates a 'Username' header against an administrator account without verifying the corresponding 'Password', making the authentication check trivially bypassable. No public exploit identified at time of analysis, but the trivial bypass and unsanitized ORDER BY concatenation make weaponization straightforward.
Server-Side Request Forgery in the WP Meta SEO WordPress plugin (all versions through 4.5.18) enables authenticated contributors to coerce the web server into issuing arbitrary outbound HTTP requests via the `new_link` parameter, with the response status code reflected back through the AJAX JSON response as `status_code`. This status-code oracle allows methodical enumeration of internal network hosts and cloud metadata services (e.g., AWS IMDSv1 at 169.254.169.254), making it particularly dangerous in cloud-hosted WordPress deployments. No public exploit identified at time of analysis, though the vulnerability is confirmed by Wordfence with direct source code references and the technique is well-understood.
Unauthenticated information disclosure in the Devs Accounting WordPress plugin (all versions through 1.2.0) exposes private financial account records to any internet-connected attacker. The REST API endpoint /devs-accounting/v1/get-account/<id> was registered with a permission_callback that unconditionally returns true, entirely bypassing WordPress authorization. By sequentially enumerating integer account IDs, an unauthenticated attacker can harvest account names, bank names, and opening balances for every financial account stored in the plugin. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the trivial attack complexity makes opportunistic automation highly likely.
Cross-Site Request Forgery in the Book a Room Event Calendar WordPress plugin (all versions through 1.9) allows unauthenticated remote attackers to overwrite sensitive plugin configuration - including external database host, credentials, encryption key, and registration URL - by tricking an authenticated administrator into visiting a malicious page. The vulnerability stems from a complete absence of WordPress nonce mechanisms (no wp_nonce_field(), check_admin_referer(), or wp_verify_nonce()) in both the settings form and its handler, meaning any browser-submitted POST during an active admin session is honored unconditionally. No public exploit has been identified at time of analysis, and the plugin is a niche product, limiting real-world blast radius despite the sensitive nature of the overwriteable fields.
Stored cross-site scripting in the Email JavaScript Cloak WordPress plugin (versions ≤1.03) allows authenticated contributors and higher to inject arbitrary JavaScript via unsanitized attributes of the plugin's 'email' shortcode. The payload executes in any visitor's browser that renders the affected page, enabling session theft or site defacement. No public exploit identified at time of analysis, and the plugin is not listed in CISA KEV.
Server-Side Request Forgery in the WordPress URL Preview plugin (all versions through 1.0) allows unauthenticated attackers to coerce the WordPress server into making arbitrary outbound HTTP requests via the 'url' parameter. The flaw, reported by Wordfence and tracked as CWE-918, enables querying or modifying data on internal services reachable from the WordPress host, including cloud metadata endpoints and internal admin panels. No public exploit identified at time of analysis, but the vulnerability is trivially exploitable given AV:N/AC:L/PR:N/UI:N.
Cross-Site Request Forgery in the Osiris Signature Banner WordPress plugin (all versions ≤ 0.5) enables unauthenticated attackers to update plugin settings and inject stored XSS payloads by tricking an authenticated administrator into triggering a forged request. Missing nonce validation across at least four functions (lines 107, 118, 139, and 189 of osiris-signature-banner.php) means any forged cross-origin form submission executed in an active admin session bypasses all server-side origin checks. No public exploit identified at time of analysis and no KEV listing is present, but the stored XSS secondary impact elevates real-world risk above a typical CSRF-only finding.
Stored cross-site scripting in the ARForms WordPress plugin (versions ≤7.1.3) allows unauthenticated remote attackers to inject arbitrary JavaScript via the `value` parameter of the `arf_save_incomplete_form_data` AJAX endpoint, with the payload executing in an administrator's browser when they view the Partial Filled Form Entries dashboard page. No public exploit identified at time of analysis, though Wordfence's disclosure provides enough technical detail to reproduce the injection. Successful exploitation typically leads to admin account takeover and full WordPress site compromise.
Stored Cross-Site Scripting in the Xpro Addons plugin for WordPress (versions ≤1.7.2) allows authenticated attackers holding author-level or higher roles to permanently embed arbitrary JavaScript via the `custom_attributes` parameter across at least 12 distinct Elementor widget frontend templates. The injected payload executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or administrative account takeover without further attacker interaction. No public exploit identified at time of analysis, though Wordfence has published source-code-level vulnerability locations across multiple widget layout files.
Stored Cross-Site Scripting in the ProfileGrid WordPress plugin (all versions through 5.9.9.2) allows authenticated users with Subscriber-level access to inject persistent malicious scripts via the `pm_author_message` parameter in the private messaging function `pm_send_message_to_author`. The injected payload executes in any user's browser upon visiting the affected page, with a changed scope (S:C) meaning impact can extend to the broader WordPress session context - including potential admin account compromise. No public exploit has been identified at time of analysis, and a partial patch in version 5.9.8.5 does not fully remediate the issue, leaving sites running through 5.9.9.2 exposed.
Unauthenticated file disclosure in the Frontend File Manager Plugin for WordPress (all versions through 23.6) exposes every user-uploaded file to anonymous download via identifier enumeration. The plugin's file download handler fails to properly enforce WordPress nonce validation, stripping the only access control gate between unauthenticated HTTP requests and user-uploaded content. A public proof-of-concept is available via WPScan, and SSVC assessment confirms the attack is automatable - any script that iterates numeric file identifiers can bulk-harvest uploaded documents, images, or sensitive attachments without credentials. Not currently listed in CISA KEV.
Stored Cross-Site Scripting in the Frontend File Manager Plugin for WordPress (versions through 23.6) allows any authenticated subscriber-level user to compromise administrator sessions by injecting malicious script payloads via the frontend file-rename endpoint. The unsanitized filename is persisted as post meta and subsequently rendered unescaped within the WordPress admin File Manager listing, triggering execution whenever an administrator views that interface. A publicly available proof-of-concept exists per WPScan, and no confirmed patched version is identified in available data, making this an unresolved risk for all sites running this plugin at or below version 23.6.
Reflected cross-site scripting in the Simple Basic Contact Form WordPress plugin (all versions through 20250114) allows unauthenticated remote attackers to execute arbitrary JavaScript in a visitor's browser when the victim follows a crafted link or submits a cross-site forged form that triggers a validation error. Publicly available exploit details have been published by WPScan, though the issue is not listed in CISA KEV and no EPSS data is provided in the input.
SQL injection in the Infility Global WordPress plugin before 2.15.19 allows authenticated users with Subscriber-level access or higher to inject arbitrary SQL via unsanitized parameters. Publicly available exploit code exists (WPScan), and a vendor patch has been released, raising the practical risk on sites that allow open user registration. No CISA KEV listing at time of analysis.
Time-based blind SQL injection in the Infility Global WordPress plugin (versions before 2.15.20) enables authenticated attackers holding Editor-level access or higher to extract arbitrary data from the WordPress database. The unsanitized `orderby` and `order` parameters in three admin callbacks - `import_list()`, `url_detail()`, and `file_detail()` - are passed directly into SQL queries without validation or parameterization. A publicly available proof-of-concept exploit exists per WPScan (EUVD-2026-38416), and the CVSS S:C designation confirms that impact extends beyond the plugin itself to the full underlying database; no confirmed active exploitation (CISA KEV) has been documented at time of analysis.
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom Vitepos WordPress plugin before 3.4.2 role to escalate privileges to administrator.
The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices.
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Pie Register WordPress plugin versions before 3.8.4.10 generates account verification tokens with insufficient randomness, enabling unauthenticated remote attackers to predict or enumerate valid tokens and activate registered accounts without receiving the associated verification email. This effectively bypasses the email-as-ownership-proof step in the registration flow, allowing account takeover of any pending registration. A publicly available exploit exists per WPScan; SSVC flags the attack as automatable with partial technical impact, though no confirmed active exploitation appears in CISA KEV at time of analysis.
WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Unauthorized file operations in the Simple File List WordPress plugin (versions through 6.3.7) allow authenticated contributors to delete, move, create folders, and download arbitrary server files by exploiting a missing authorization check on the 'frontmanage' shortcode attribute. The attack is non-trivial but fully described: an attacker creates a draft post embedding the 'eeSFL' shortcode, loads the WordPress post preview endpoint to harvest a valid nonce, then submits file operation requests to ee-list-ops-bar-process.php that bypass the intended privilege checks. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; a patch changeset (3579098) exists in the plugin repository, though the released fixed version is not independently confirmed.
Unauthenticated arbitrary file deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows remote attackers to delete any file the web server can write to, including wp-config.php, which can escalate to remote code execution. The flaw lives in the eeSFL_DeleteFile function and is reachable via the simplefilelist_edit_job AJAX action registered through wp_ajax_nopriv_, with the is_admin() guard rendered ineffective because that function always returns true on admin-ajax.php. No public exploit identified at time of analysis, but the trivial reachability and high-value target (WordPress) make weaponization straightforward.
Arbitrary file modification and deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows unauthenticated remote attackers to alter or remove files on the server. The flaw stems from a broken authorization guard where an is_admin() check short-circuits before the AllowFrontManage setting is evaluated, leaving every installation exposed regardless of configuration. No public exploit identified at time of analysis, but the bug is reachable on default settings and was disclosed by Wordfence.
Arbitrary file deletion in the Database for Contact Form 7, WPforms, Elementor forms WordPress plugin (versions ≤1.5.1) allows remote unauthenticated attackers to poison form entries with traversal payloads that, when later viewed by an administrator, delete arbitrary server files and can be escalated to remote code execution by removing wp-config.php. Reported by Wordfence with publicly available exploit code exists via the Wordfence advisory; no public exploit identified at time of analysis as weaponized in-the-wild attacks, and the issue is not in CISA KEV.
Unauthenticated account takeover in the Branda (white-labeling) plugin for WordPress through version 3.4.29 allows remote attackers to reset arbitrary user passwords, including administrators, by abusing a password update flow that fails to verify the requester's identity. Wordfence-reported flaw is tracked as CVE-2026-11551 with a CVSS 9.8; no public exploit identified at time of analysis, but the trivial exploitability of the vulnerable signup-password module makes weaponization straightforward once the patched code is diffed.
Authorization bypass in the WP Go Maps WordPress plugin (all versions up to and including 10.1.01) permits unauthenticated remote attackers to insert arbitrary records into plugin-managed database tables - maps, markers, circles, polygons, polylines, rectangles, and point labels - by exploiting a race condition between namespace validation and query execution in the plugin's REST API. The flaw exists because the WPGMZA prefix check in the phpClass parameter validation passes for legitimate plugin classes such as WPGMZA\Map and WPGMZA\Marker, which trigger a SQL INSERT into the corresponding table before the route rejects the request. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the unauthenticated network vector and low attack complexity make it trivially abusable against the wide WordPress install base.
Unauthorized subscription data exposure in the 2Download Connector for 2DL Hosted Checkout WordPress plugin allows unauthenticated network attackers to read arbitrary customers' subscription records - including subscription status, product names, order IDs, purchase dates, and expiry dates - across all versions up to and including 0.1.5. The root cause is a missing authorization check in the plugin's shortcode handlers (Shortcodes.php), meaning any unauthenticated HTTP request can trigger the data-retrieval logic without identity verification. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Unauthenticated REST API webhook manipulation in the STRABL checkout plugin for WordPress (all versions through 4.5) allows any remote attacker to commit payment fraud, manipulate WooCommerce order states, create customer-role user accounts, issue arbitrary refunds, cancel orders, and apply chargeback fees - all without credentials or payment. The root cause is a WordPress REST endpoint registered at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which bypasses all authentication by design. No public exploit code or KEV listing is confirmed at time of analysis, but the vulnerability is trivially exploitable given the open endpoint and well-documented attack surface.
Missing authorization controls in the WP Hotel Booking WordPress plugin (all versions before 2.3.1) expose sensitive hospitality business data to any authenticated Subscriber-level user. Affected AJAX handlers lack WordPress capability checks, enabling low-privilege users to read other guests' booking line items, enumerate active coupon codes, and access internal pricing data across the entire site. A public proof-of-concept exploit exists per WPScan; while not confirmed actively exploited in CISA KEV, the low authentication barrier and publicly available exploit represent meaningful real-world risk for any hotel or hospitality site with user registration enabled.
Unauthenticated remote code execution in BetterDocs Pro for WordPress (versions through 3.8.0) is achievable by abusing the `doc_style` parameter to include arbitrary local PHP files. Wordfence has assigned a critical 9.8 CVSS score, and while no public exploit identified at time of analysis, the unauthenticated network-reachable nature of the flaw on a widely deployed WordPress documentation plugin makes opportunistic mass-exploitation likely once details propagate.
Stored Cross-Site Scripting in the Blocksy Companion WordPress plugin (all versions through 2.1.45) enables authenticated users with editor-level privileges or above to inject persistent JavaScript payloads via admin settings in the product-reviews extension, executing silently in any site visitor's browser on page load. Exploitation is gated by two mandatory deployment conditions - WordPress multisite networks or installations where unfiltered_html has been explicitly disabled - materially narrowing the real-world attack surface beyond what the network-accessible CVSS vector alone implies. No public exploit has been identified and this CVE does not appear in the CISA KEV catalog at time of analysis; an upstream patch commit (changeset 3576066) exists but the exact fixed release version is not independently confirmed from available data.
Unauthenticated personal data exfiltration in WP DSGVO Tools (GDPR) plugin for WordPress (≤3.1.39) allows any remote attacker to trigger immediate Subject Access Request (SAR) fulfillment for an arbitrary victim email, receiving tokenized download links in the HTTP response that expose WordPress account details, comment history, email addresses, and IP addresses. The plugin's CSRF nonce - the only gate protecting this action - is publicly rendered by the SAR shortcode form and shared across all anonymous visitors, rendering it entirely ineffective as an access control mechanism. No active exploitation is confirmed (not in CISA KEV) and no public POC is confirmed at time of analysis, though the Wordfence advisory includes direct source code references identifying the exact vulnerable code paths.
Arbitrary file deletion in the Avada (Fusion) Builder WordPress plugin through version 3.15.3 allows remote unauthenticated attackers to delete any file on the server via path traversal in the maybe_delete_files function, which commonly escalates to remote code execution when wp-config.php is removed and WordPress enters setup mode. Wordfence reports the flaw is reachable through the wp_ajax_nopriv_fusion_form_submit_ajax handler on sites that have a published Avada form saving entries to the database. No public exploit identified at time of analysis, but the CVSS 9.1 score reflects trivial network exploitation with no authentication or user interaction.
Arbitrary file read in Royal Addons for Elementor versions 1.7.1058-1.7.1059 allows authenticated attackers with Contributor-level access to retrieve the contents of any file readable by the PHP process - including wp-config.php and its database credentials - via a crafted wpr-data-table widget saved through Elementor's save_builder endpoint. The flaw is a regression: the vulnerable wpr_get_csv_handle() helper was itself introduced in version 1.7.1058 as the remediation for a prior CVE (CVE-2026-6229), meaning the security patch introduced a new, exploitable path. No public exploit has been identified at time of analysis, but the low privilege bar (Contributor) and high-value disclosure target (database credentials) elevate real-world risk on WordPress sites that permit open or low-friction contributor registration.
Server-Side Request Forgery in the Bit Integrations WordPress plugin (all versions through 2.8.7) allows unauthenticated attackers to force the web server to issue arbitrary HTTP requests to internal or external locations via the upload_attachment function. Exploitation enables querying and modifying data from internal services reachable by the web server, including metadata services in cloud environments, internal APIs, or private network endpoints. No public exploit is identified at time of analysis, but the attack requires only a default integration configuration, substantially lowering the practical barrier to exploitation.
Server-Side Request Forgery in the Advanced Import WordPress plugin (all versions through 1.4.6) allows authenticated users holding Author-level access or higher to force the web server to issue HTTP requests to arbitrary internal or external URLs via the demo_download_and_unzip() AJAX handler. The critical design flaw is the inconsistent use of wp_remote_get() instead of WordPress's own wp_safe_remote_get() - which the plugin correctly employs elsewhere - meaning no SSRF-aware URL validation is applied to the 'demo_file' POST parameter when 'demo_file_type' is set to 'url'. No public exploit code has been identified at time of analysis, but the scope change in the CVSS vector reflects that successful exploitation escapes the WordPress application boundary and can reach internal network services, including cloud instance metadata endpoints such as AWS IMDSv1.
Sensitive information exposure in the Bogo WordPress plugin through version 3.9.1 allows authenticated users with subscriber-level access to extract the raw title, body content, excerpt, and password of any private, draft, or password-protected post by abusing the translation duplication endpoint. The REST API handler bogo_rest_create_post_translation enforced only a locale-access capability check, which all authenticated users can satisfy, and returned raw post field values in the API response without verifying whether the requestor had read or edit rights over the source content. No public exploit code or active exploitation (CISA KEV) is confirmed at time of analysis, though the attack path is straightforward for any authenticated WordPress user.
Stored Cross-Site Scripting in BetterDocs WordPress plugin (versions ≤4.5.3) allows authenticated contributors to inject persistent malicious scripts via the unescaped blockId attribute of the betterdocs/category-slate-layout Gutenberg block. The injected payload executes in the browser of any visitor who loads the compromised page, enabling session hijacking, credential theft, or admin-level privilege escalation against site operators. No public exploit identified at time of analysis, but the contributor-level authentication threshold makes this accessible on any WordPress site permitting open or shared content authorship.
Arbitrary file read via path traversal in the Woosa - Marktplaats for WooCommerce WordPress plugin (versions up to and including 2.0.4) permits authenticated WordPress administrators to escape the plugin's log directory and access any file readable by the web server process, including the sensitive wp-config.php file. The flaw exists in the render_logs_ui() function within class-module-logger-hook-settings.php, which decodes a base64-supplied filename from the log_file GET parameter and concatenates it with the log directory path without any boundary enforcement. No public exploit code or active exploitation has been identified at time of analysis; the attack surface is meaningfully constrained by the Administrator-level privilege requirement (PR:H), though successful exploitation could cascade into full site compromise via exposed database credentials.
Stored Cross-Site Scripting in the Creavi Appointment Booking Calendar plugin for WordPress (all versions through 1.4.4) allows authenticated attackers holding Author-level access or higher to permanently inject arbitrary JavaScript via unsanitized custom booking field labels. The malicious payload executes in the browser of any user who subsequently visits a page containing the injected booking form, enabling session hijacking, credential harvesting, or malicious redirects against site visitors and administrators alike. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis, though a fix commit is available in the WordPress plugin Trac repository.
Missing authorization in the Classified Listing WordPress plugin (versions through 5.4.2) allows authenticated attackers with Subscriber-level accounts to overwrite the featured image of any listing on the site, regardless of ownership. The vulnerability originates in the rtcl_fb_gallery_image_update_as_feature AJAX handler, which accepts arbitrary user-supplied listing IDs and attachment IDs while relying solely on a nonce that is freely accessible to all logged-in frontend users - providing no meaningful access barrier for low-privilege accounts. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in CISA KEV.
Cross-Site Request Forgery in the User Admin Simplifier WordPress plugin (all versions up to and including 3.0.0) enables unauthenticated remote attackers to permanently delete any user's stored admin menu and admin-bar configuration by tricking a logged-in site administrator into submitting a forged request. The flaw exists because the `useradminsimplifier_options_page` function performs no valid nonce check before invoking `uas_save_admin_options()`, which unconditionally overwrites the `useradminsimplifier_options` database entry. No public exploit code has been identified at time of analysis, and this CVE does not appear in CISA's Known Exploited Vulnerabilities catalog.
Stored Cross-Site Scripting in the Slideshow Gallery LITE WordPress plugin (all versions through 1.8.5) allows authenticated attackers with Contributor-level access to persistently inject arbitrary JavaScript via the 'alwaysauto' shortcode attribute, which then executes in the browser of any user who visits the affected page. The root cause is insufficient input sanitization and output escaping on user-supplied shortcode attributes, a classic CWE-79 pattern. The scope change in the CVSS vector (S:C) reflects that the injected script runs outside the plugin's security context - in victim users' browsers - enabling session hijacking, credential theft, or admin account takeover. No public exploit or CISA KEV listing has been identified at time of analysis.
Stored Cross-Site Scripting in the Fancy Testimonials WordPress plugin (all versions ≤ 1.0, by dijitul) permits any authenticated Contributor-level user to persist arbitrary JavaScript via the 'author' attribute of the [testimonial] shortcode, which executes in every subsequent visitor's browser context. The CVSS scope change (S:C) reflects that injected scripts operate within the victim's browser session — enabling session hijacking, credential theft, or malicious redirects targeting site visitors and administrators alike. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the attack technique is trivially reproducible given knowledge of the shortcode parameter.
Sensitive customer PII exposure in the Appointment Booking Calendar WordPress plugin (versions up to and including 1.4.01) allows any authenticated user with Contributor-level access to exfiltrate booking records from calendars they do not own. The root cause is an IDOR (Insecure Direct Object Reference) in the cpabc_appointments_calendar_load2() function: the function enforces only a broad role check (edit_posts capability) without verifying that the requesting user owns the calendar ID supplied via the id parameter. Exposed records include customer names, email addresses, phone numbers, booking times, and freeform comments, making this a meaningful PII breach risk on multi-author WordPress installations. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.
Server-Side Request Forgery in the CF7 to Webhook WordPress plugin (versions up to and including 5.0.0) allows unauthenticated attackers to coerce the WordPress server into issuing arbitrary outbound HTTP requests through the pull_the_trigger functionality. Exploitation is conditional on an administrator configuring the webhook URL with a Contact Form 7 field placeholder inside the host portion of the URL, with the form publicly reachable. No public exploit identified at time of analysis, and there is no CISA KEV listing for this vulnerability.
Stored Cross-Site Scripting in PowerPress Podcasting plugin by Blubrry (WordPress, versions ≤ 11.16.8) allows authenticated attackers with Author-level access to plant persistent JavaScript payloads via the 'embed' Episode Meta Field, executing in every visitor's browser on affected episode pages. The vulnerability is architecturally significant because the embed value is written through `update_post_meta()` rather than WordPress's post content pipeline, causing kses sanitization to be skipped entirely - bypassing the role-based XSS mitigations that WordPress normally enforces even for Author-role users who lack the `unfiltered_html` capability. No public exploit or CISA KEV listing has been identified at time of analysis, though the low authentication barrier (Author level) makes multi-author WordPress sites an elevated-risk target.
Reflected Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (versions ≤ 4.3.6) enables unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'tab' parameter in the admin settings page. Exploitation is constrained by a critical precondition: the vulnerable `plugin_options_page()` function is rendered exclusively in the WordPress admin dashboard, meaning the targeted victim must hold Shop Manager-level access or higher and be socially engineered into clicking a crafted link while authenticated. No public exploit code or CISA KEV listing has been identified at time of analysis; this is a no public exploit identified at time of analysis scenario reported by Wordfence.
Insecure Direct Object Reference in the UsersWP WordPress plugin (versions through 1.2.63) allows authenticated editor-level users to permanently delete or reset the avatar and banner images of any WordPress user account, including site administrators, by supplying an arbitrary user_id parameter. The vulnerability lies in missing authorization validation on the user_id key within image management handlers across class-forms.php, class-userswp.php, and class-profile.php, directly manipulating the uwp_usermeta table. No public exploit has been identified at time of analysis, and real-world severity is constrained by the high-privilege authentication prerequisite.
Stored Cross-Site Scripting in the Customize My Account For WooCommerce WordPress plugin (versions up to and including 4.3.6) allows authenticated attackers with Contributor-level access to inject persistent JavaScript payloads via the 'sysbasics_user_avatar' shortcode. The flaw originates in the wcmamtx_get_avatar_default() function, which concatenates unescaped user-supplied shortcode attributes (min_height, min_width, max_height, max_width) directly into the get_avatar() extra_attr style attribute, bypassing sanitization entirely. No active exploitation is confirmed in CISA KEV and no public exploit has been identified at time of analysis, though Wordfence has published full technical details including the vulnerable source lines.
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote code execution on any WordPress server running an affected installation whose form fields have an empty extension allowlist. The vulnerability is reachable via an unauthenticated AJAX endpoint, requires no privileges or user interaction, and a publicly available proof-of-concept exploit exists per WPScan. Despite the plugin's limited adoption, the combination of a public exploit, zero authentication requirement, and full server-side code execution makes this a materially higher-risk issue than the vendor-assigned CVSS score of 6.5 suggests.
Stored Cross-Site Scripting in the Orbit Fox WordPress plugin (ThemeIsle) allows authenticated administrators to inject persistent malicious scripts into pages served to any visiting user. Affected are all versions through 3.0.6, but only under specific deployment conditions: WordPress multisite networks or installations where the unfiltered_html capability has been explicitly disabled. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 4.4 reflects the elevated prerequisites and limited per-incident impact, though scope-changed XSS can still enable session theft and secondary phishing in affected deployments.
Stored Cross-Site Scripting in the bplugins Services Section Block WordPress plugin (all versions through 1.4.4) enables authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'link' block attribute. The payload evades wp_kses_post sanitization by embedding inside HTML comments at save time, then executes from two rendering paths - the primary service link anchor and a secondary title-wrapped anchor - when the linkIn option is set to 'title'. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the scope-changed (S:C) nature means injected content executes in any site visitor's browser session, enabling session hijacking or credential theft at scale.
Cross-Site Request Forgery in the Optimole WordPress plugin (all versions through 4.2.6) allows unauthenticated remote attackers to overwrite existing media attachment files by forging multipart POST requests targeting the replace_file function, provided the attacker can socially engineer a WordPress user with at least Author-level access into clicking a crafted link. The missing nonce validation in the attachment_edit.php handler means the server cannot distinguish legitimate requests from forged ones, enabling arbitrary content injection into any attachment the victim can edit. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the Wordfence disclosure provides full technical detail including source line references, lowering the bar for weaponization.
Authorization bypass in the Simple Membership WordPress plugin (≤4.7.5) enables unauthenticated remote attackers to forcibly deactivate any member account by submitting a forged Stripe charge.refunded webhook payload carrying a known victim subscription ID. The plugin's webhook handler skips HMAC signature verification when the stripe-webhook-signing-secret option is absent - the default installation state - accepting the forged event as legitimate and setting the target account_state to 'inactive', firing cancellation hooks, recording a transaction status change, and dispatching a cancellation notification email. No public exploit has been identified at time of analysis, and no KEV listing exists, but the zero-prerequisite network attack path against default-configured sites elevates practical risk above the 5.3 CVSS score suggests.
SQL injection in Tutor LMS (WordPress plugin by Themeum) exposes the underlying database to read-access by any authenticated administrator. The flaw resides in the withdrawal-request management flow - specifically WithdrawModel.php and withdraw_requests.php - where a 'data' parameter is passed to SQL queries without adequate escaping or parameterization. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the data-exposure impact (C:H) is real, and a patched release (3.9.12) is confirmed in the WordPress plugin repository.
Unauthorized cross-teacher quiz rule tampering in the PressPrimer Quiz WordPress plugin (all versions ≤ 2.3.0) is possible via an IDOR flaw in the plugin's REST API, where the `rule_id` parameter is accepted without ownership validation. Any authenticated user holding a custom-level role or above - such as a teacher - can supply arbitrary `rule_id` values to modify or delete quiz rules belonging to other teachers. No public exploit is identified at time of analysis and the vulnerability is not listed in CISA KEV; the CVSS 3.1 score of 4.3 (PR:L, I:L) reflects the authentication requirement and integrity-only impact.
SQL Injection in the Advanced Order Export For WooCommerce WordPress plugin (versions up to and including 4.0.10) allows authenticated shop managers to append arbitrary SQL to existing queries via the unsanitized 'sort_direction' parameter, enabling full read-access to the WordPress database. Wordfence confirmed the flaw, which is compounded by the plugin's deliberate stripping of WordPress magic quotes protection through stripslashes_deep(), permitting SQL metacharacters to reach the query context intact. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Sensitive information exposure in Kadence Blocks (WordPress plugin) versions up to and including 3.7.5 allows authenticated contributors to read the site's Kadence license key, license owner email, api_key, api_email, and license domain directly from the browser console via the JavaScript global window.kadence_blocks_params.proData. The credentials are serialized client-side through the editor_assets_variables mechanism and require no server-side manipulation to extract. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
SQL injection in the Form Maker by 10Web WordPress plugin exposes the WordPress database to authenticated admin-level attackers via the unsanitized 'groupids' parameter. All plugin versions through 1.15.43 are affected across multiple code paths in WDW_FM_Library.php and Generete_csv.php. No active exploitation is confirmed (not in CISA KEV), and exploitation is constrained by the administrator privilege requirement, though the high confidentiality impact from unrestricted database read access remains a meaningful concern for multi-tenant or shared WordPress environments.
Unauthenticated sensitive information exposure in the Event Koi Lite WordPress plugin (all versions through 1.3.13.1) allows any remote visitor to retrieve private, draft, and pending event data via the unprotected get_events API endpoint. Exposed data includes virtual meeting URLs, physical venue addresses, GPS coordinates (latitude/longitude), Google Maps links, and RSVP configuration - all belonging to events deliberately kept out of public view. The root cause is CWE-862 (Missing Authorization): the get_events handler performs no publication-status or capability check before returning event records. No public exploit identified at time of analysis, but the endpoint is trivially callable by any unauthenticated HTTP client.
Remote code execution in the Offload, AI & Optimize with Cloudflare Images WordPress plugin (versions ≤1.10.2) allows authenticated Author-level users to inject PHP into wp-config.php via the 'account-id' or 'api-key' parameters of the cf_images_do_setup AJAX handler. The handler enforces only the upload_files capability instead of manage_options, and a single-quote escape flaw lets attackers break out of a PHP string literal during the define() write. No public exploit is identified at time of analysis, but the vulnerability is reported by Wordfence with detailed root-cause analysis.
Unauthenticated CSV export of form submission data in the FireBox Popups WordPress plugin (versions up to and including 3.1.7) exposes full personally identifiable information collected by any form on the site. The flaw lies in an unprotected endpoint that accepts a `form_id` parameter without authentication or authorization checks, allowing any remote attacker to enumerate form IDs and download complete submission records. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis, but the trivial exploitation conditions and PII exposure make this a meaningful privacy and compliance risk for affected WordPress deployments.
SQL Injection in the Form Maker by 10Web WordPress plugin (all versions up to and including 1.15.43) enables authenticated administrators to append arbitrary SQL clauses via the unsanitized 'name' parameter in the admin-side data selection interface, permitting full read access to the underlying WordPress database. The CVSS vector confirms a high confidentiality impact (C:H) but no integrity or availability impact, scoped exclusively to the vulnerable system. No active exploitation is confirmed (not listed in CISA KEV), no public POC has been identified at time of analysis, and the mandatory administrator-level authentication prerequisite substantially constrains real-world mass exploitation risk.
Authorization bypass in Equalize Digital Accessibility Checker for WordPress (all versions ≤ 1.42.1) allows authenticated author-level users to dismiss, ignore, or restore accessibility audit records belonging to posts they do not own. The flaw lies in the plugin's REST API handler accepting the attacker's own issue ID as a sufficient authorization token, and the `largeBatch=true` parameter then triggers a bulk operation that propagates the action across all site-wide issues sharing the same 'object' value - including those on administrator-owned posts. No public exploit identified at time of analysis, and this CVE is not listed in CISA KEV; however, the Wordfence advisory includes direct source code references confirming the vulnerable logic.
Privilege escalation in the E2Pdf - Export Pdf Tool for WordPress plugin (versions ≤ 1.32.26) allows authenticated low-privilege users with the e2pdf_templates capability to overwrite arbitrary WordPress options and elevate themselves to administrator. The flaw stems from the screen_action() function lacking a capability check and nonce verification, letting attackers pass attacker-controlled option names and values directly to update_option(). No public exploit identified at time of analysis, but the issue was disclosed by Wordfence with detailed source-line references making weaponization straightforward.
Insecure Direct Object Reference across six AJAX handlers in the Dokan multivendor marketplace plugin for WordPress allows authenticated vendor-level users to manipulate arbitrary marketplace orders they do not own, in all versions up to and including 5.0.3. Affected operations include changing order status, injecting customer-facing notes that trigger WooCommerce notification emails to buyers, deleting any order note or WordPress comment by raw ID, inserting fraudulent shipping tracking data, and granting or revoking downloadable product access on any order in the installation. The nonce-based CSRF protection provides no ownership barrier because vendors legitimately generate valid nonces from their own dashboard pages and can replay them against any order ID - no public exploit identified at time of analysis, though vulnerable code paths are confirmed in source at version 5.0.1 by Wordfence.
Blind SQL injection in the Cargo RD 'Cargo Shipping Location for WooCommerce' WordPress plugin (versions up to and including 5.6) allows remote unauthenticated attackers to inject arbitrary SQL via unsanitized input passed to backend database queries. The flaw carries a CVSS 3.1 base score of 9.3 (Critical) due to its network-reachable, no-privilege, no-interaction profile and scope-changed confidentiality impact, and no public exploit identified at time of analysis.
PHP Object Injection in the Entrepreneur - Booking for Small Businesses WordPress theme through version 3.1.3 allows authenticated subscriber-level users to trigger unsafe deserialization, potentially leading to full site compromise. The flaw was disclosed via Patchstack and carries a CVSS 3.1 base score of 8.8 reflecting high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Unauthenticated local file inclusion in the ThemeREX LuxMed Medicine & Healthcare Doctor WordPress theme versions 1.2.2 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server. The flaw is CWE-98 (improper control of filename for include/require) and carries CVSS 8.1 (high), though attack complexity is high; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Unauthenticated privilege escalation in the ThemeGrill Registration Form for WooCommerce WordPress plugin (versions <= 1.0.9) allows remote attackers to elevate privileges without credentials, potentially gaining administrative control over the WordPress site. With a CVSS of 9.8 and no public exploit identified at time of analysis, the flaw is reported by Patchstack and tagged as a Privilege Escalation issue in the WordPress plugin ecosystem.
Unauthenticated broken access control in the WooCommerce Anti-Fraud WordPress plugin by OPMC (versions ≤ 7.2.6) allows remote unauthenticated attackers to perform unauthorized actions against the anti-fraud layer of WooCommerce stores. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no credentials or user interaction are required, and CWE-862 (Missing Authorization) identifies the root cause as absent capability or permission checks on one or more plugin endpoints. With integrity (I:L) and availability (A:L) impacts, attackers could potentially interfere with or circumvent fraud detection logic, enabling fraudulent orders to pass undetected or disrupting store operations. No public exploit code has been identified and CISA KEV listing is absent at time of analysis.
Broken authentication in WooCommerce Dropshipping plugin versions 5.2.4 and earlier allows unauthenticated remote attackers to bypass authentication controls via an alternate path or channel (CWE-288), yielding partial confidentiality and integrity impact on affected WordPress e-commerce installations. Reported by Patchstack, the flaw is confirmed at CVSS 6.5 Medium with a fully network-accessible, zero-complexity attack path requiring no privileges or user interaction. No public exploit code or CISA KEV listing exists at time of analysis, moderating real-world urgency despite the low exploitation barrier.
Unauthenticated PHP object injection in the WooCommerce Product Filters WordPress plugin (versions prior to 2.0.6) allows remote attackers to deserialize attacker-controlled data and trigger PHP magic methods on existing application gadgets. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and CWE-502 root cause, successful exploitation can lead to remote code execution, arbitrary file operations, or full site takeover depending on available POP chains in WordPress core or co-installed plugins. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated broken access control in PremiumPress WordPress Dating Theme through version 11.2.0 allows remote attackers to reach restricted functionality without credentials, resulting in high confidentiality impact and limited integrity and availability impact. The flaw was disclosed via Patchstack and currently has no public exploit identified at time of analysis, but the network-reachable, no-interaction vector (AV:N/AC:L/PR:N/UI:N) makes opportunistic abuse against exposed sites realistic. No CISA KEV listing or EPSS score is provided in the input.
Cross-Site Request Forgery in PremiumPress WordPress Dating Theme versions 11.2.0 and earlier allows remote attackers to coerce authenticated victims into performing unintended state-changing actions, with Patchstack documenting an account takeover path. The CVSS 8.8 rating reflects high impact on confidentiality, integrity, and availability when a targeted user is tricked into visiting attacker-controlled content. No public exploit identified at time of analysis and the theme has not been listed in CISA KEV.
SQL injection in the WooCommerce Frontend Manager - Ultimate WordPress plugin (versions prior to 6.7.7) allows authenticated subscriber-level users to inject SQL via plugin-handled input, exposing database contents and enabling limited data tampering on affected WooCommerce sites. The CVSS 8.5 rating reflects a scope change reaching the underlying database with high confidentiality impact. No public exploit identified at time of analysis.
Arbitrary file download in the WooCommerce Book Price WordPress plugin (versions 1.3 and earlier) allows remote attackers to retrieve arbitrary files from the underlying server filesystem via path traversal. The CVSS vector indicates network-reachable exploitation without authentication or user interaction, yielding high confidentiality impact with no integrity or availability effects. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SQL injection in the Events Schedule - WordPress Events Calendar plugin (versions <= 2.7.2) by CurlyThemes allows authenticated users with Subscriber-level privileges to inject arbitrary SQL into backend database queries. Because the CVSS scope is Changed with high confidentiality impact, a successful attacker can read data beyond the plugin's intended boundary, potentially exfiltrating WordPress user hashes and site secrets. No public exploit identified at time of analysis, and the issue is reported by Patchstack.
Unauthenticated arbitrary file upload in the Extendons 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' (versions <= 1.0.7) lets remote attackers upload arbitrary files, including PHP webshells, to vulnerable WordPress sites and gain code execution. The CVSS 10.0 score with Scope:Changed reflects that compromise of the plugin can escalate to full host takeover, though no public exploit was identified at time of analysis and the flaw is not listed in CISA KEV.
Arbitrary file deletion in QuantumCloud WPBot Pro WordPress Chatbot plugin versions 13.6.5 and earlier allows authenticated subscriber-level users to delete arbitrary files on the WordPress host via a path traversal flaw. With no public exploit identified at time of analysis, the issue still carries elevated risk because exploitation requires only the lowest-privilege WordPress role, which is auto-grantable on sites that allow open registration. Deleting files such as wp-config.php can trigger the WordPress install routine and lead to full site takeover.
Unauthenticated arbitrary file download in the Premium Age Verification / Restriction for WordPress plugin (versions ≤ 3.0.2) allows remote attackers to retrieve arbitrary files from the underlying server without any credentials or user interaction. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability impact, consistent with file disclosure rather than code execution. There is no public exploit identified at time of analysis and the issue is not present in CISA KEV, but Patchstack has confirmed the flaw against a default plugin installation.
Privilege escalation in the Contest Gallery WordPress plugin (versions ≤ 30.0.2) allows authenticated Contributor/Author-level users to overwrite the stored RegistryUserRole option to 'administrator', causing newly registered Google sign-in accounts to be promoted to Administrator. The flaw was disclosed by Wordfence and stems from a missing capability check in the option-saving handler; no public exploit identified at time of analysis.
PHP Object Injection in the Counter Box WordPress plugin (all versions through 2.0.13) allows authenticated administrators to deserialize attacker-controlled input via the plugin's import functionality, with deserialization triggered automatically on the post-import redirect and again when any imported item is opened for editing. The vulnerability carries no standalone impact - exploitation is entirely contingent on a Property-Oriented Programming (POP) chain being present in a separately installed plugin or theme, at which point an attacker could achieve arbitrary file deletion, sensitive data retrieval, or remote code execution. No public exploit is identified at time of analysis, and the CVSS AC:H and PR:H ratings reflect both the administrative access requirement and the environmental dependency on co-installed POP chain software.
Stored Cross-Site Scripting in the Permalink Manager Lite WordPress plugin (all versions through 2.5.3.3) allows authenticated contributors to inject persistent JavaScript into the admin URI Editor interface via crafted post titles. The payload executes in the browser of any administrator who subsequently visits the Permalink Manager page, enabling session hijacking or unauthorized admin-level actions. No active exploitation is confirmed in CISA KEV, and no public exploit code has been identified at time of analysis; vendor-released patch 2.5.3.4 is available.