WordPress
Monthly
Stored XSS in WordPress Stock Ticker plugin through version 3.26.1 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users viewing affected pages. The vulnerability requires administrator privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.
Stored XSS in MailArchiver plugin for WordPress versions up to 4.4.0 allows authenticated administrators to inject malicious scripts through insufficiently sanitized admin settings, affecting multi-site installations and those with disabled unfiltered_html. Attackers with admin privileges can execute arbitrary JavaScript that persists and triggers when other users access affected pages. No patch is currently available.
The ProfileGrid WordPress plugin through version 5.9.8.2 lacks nonce validation on membership request management functions, allowing unauthenticated attackers to forge requests that approve or deny group membership through social engineering of site administrators. An attacker can exploit this CSRF vulnerability to manipulate group membership status by tricking an admin into clicking a malicious link. No patch is currently available for this medium-severity vulnerability.
Unauthorized message deletion in ProfileGrid WordPress plugin versions up to 5.9.8.1 allows authenticated subscribers and above to delete arbitrary messages from any user due to missing capability checks in the pg_delete_msg() function. An attacker can exploit this by sending a crafted request with a valid message ID to remove messages without proper authorization. No patch is currently available for this vulnerability.
Reflected XSS in CM Custom Reports plugin for WordPress (versions up to 1.2.7) allows unauthenticated attackers to inject malicious scripts through inadequately sanitized 'date_from' and 'date_to' parameters. An attacker can exploit this by tricking users into clicking malicious links, causing arbitrary scripts to execute in their browsers with access to sensitive data or session information. No patch is currently available.
SQL injection in WordPress Community Events plugin up to version 1.5.8 allows authenticated administrators to extract sensitive database information through malicious CSV file uploads exploiting inadequately sanitized venue name fields. The vulnerability requires high-level privileges and manual interaction but poses a significant confidentiality risk to WordPress installations using this plugin. No patch is currently available.
PHP object injection in the JS Archive List WordPress plugin (versions up to 6.1.7) allows authenticated contributors and above to deserialize untrusted data through the shortcode 'included' parameter. While no direct exploitation path exists in the plugin itself, attackers could leverage gadget chains from other installed plugins or themes to achieve arbitrary file deletion, information disclosure, or remote code execution. A patch is not currently available.
Stored XSS in the Hammas Calendar WordPress plugin through version 1.5.11 allows authenticated contributors and above to inject malicious scripts via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode due to inadequate input sanitization. When users access pages containing the injected payload, the scripts execute in their browsers, potentially leading to session hijacking, credential theft, or malware distribution. No patch is currently available.
Unauthenticated attackers can modify arbitrary custom event fields in the MDJM Event Management plugin for WordPress through versions 1.7.8.1 due to insufficient capability checks in the custom fields controller. This allows remote deletion of custom event data without requiring valid credentials or user interaction. No patch is currently available for this medium-severity vulnerability.
ZIP Code Based Content Protection (WordPress plugin) versions up to 1.0.2 is affected by sql injection (CVSS 7.5).
Unauthenticated attackers can retrieve rendered HTML content from private, draft, and password-protected reusable blocks in the Greenshift plugin for WordPress (versions up to 12.8.3) due to missing authorization checks in an AJAX handler combined with exposed nonce values. The vulnerability allows an attacker to specify arbitrary post IDs and bypass post status validation to access sensitive block content. No patch is currently available for this medium-severity information disclosure vulnerability.
The HUMN-1 AI Website Scanner & Human Certification plugin for WordPress through version 0.0.3 fails to validate user permissions on the winston_disconnect AJAX function, allowing authenticated Subscriber-level users to disconnect the plugin's API credentials. This capability check bypass enables authenticated attackers to disrupt the plugin's functionality by resetting its API connection settings without proper authorization.
The WP Frontend Profile WordPress plugin through version 1.3.8 lacks CSRF protections on the update_action function, enabling unauthenticated attackers to manipulate user registration approvals or rejections by deceiving administrators into clicking malicious links. This allows attackers to perform unauthorized account management actions without authentication, potentially disrupting legitimate user onboarding processes. No patch is currently available for this vulnerability.
WooCommerce plugin versions 5.4.0 through 10.5.2 fail to properly validate batch requests, enabling unauthenticated attackers to execute administrative actions through CSRF attacks, including creation of arbitrary admin accounts. The vulnerability affects all WordPress installations running vulnerable WooCommerce versions and requires user interaction to exploit. No patch is currently available.
Reflected cross-site scripting in WP All Import plugin versions up to 4.0.0 allows unauthenticated attackers to inject malicious scripts through the 'filepath' parameter due to improper input validation and output encoding. Successful exploitation requires tricking users into clicking a specially crafted link, after which arbitrary JavaScript executes in their browser session. A patch is not currently available.
Auth bypass in PowerPack for LearnDash WordPress plugin before 1.3.0.
WP eCommerce WordPre versions up to 3.15.1 is affected by cross-site request forgery (csrf) (CVSS 4.3).
animation and page builder block versions up to 12.8.3 is affected by information exposure (CVSS 5.3).
Stored Cross-Site Scripting in the Greenshift page builder plugin for WordPress (versions up to 12.8.5) allows authenticated users with Contributor privileges or higher to inject malicious scripts through the `_gspb_post_css` post meta and `dynamicAttributes` block attributes due to inadequate input sanitization. When other users access affected pages, the injected scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. No patch is currently available.
Unauthenticated attackers can upload arbitrary files to WordPress sites running the Drag and Drop Multiple File Upload - Contact Form 7 plugin through versions 1.3.7.3 due to insufficient file type validation when wildcard characters are configured in upload fields. Successful exploitation could enable remote code execution on the affected server. No patch is currently available.
WowOptin: Next-Gen Popup Maker plugin for WordPress versions up to 1.4.24 fails to validate user permissions on plugin installation functions, allowing authenticated subscribers to install and activate arbitrary plugins. This privilege escalation vulnerability enables low-privileged attackers to execute remote code with full WordPress permissions. No patch is currently available.
PHP Object Injection in Database for CF7/WPforms/Elementor forms WordPress plugin.
SQL injection in WordPress Page and Post Clone plugin up to version 6.3 allows authenticated contributors and above to extract sensitive database information through a second-order injection via the meta_key parameter. The vulnerability stems from insufficient input escaping and query preparation in the content_clone() function, with malicious payloads stored as post metadata and executed during the clone operation. No patch is currently available.
Unauthenticated attackers can escalate privileges in WordPress installations using the Membership Plugin - Restrict Content (versions up to 3.2.20) by registering with arbitrary membership levels, including inactive levels or those granting administrator access, due to insufficient validation of the rcp_level parameter. This allows attackers to bypass payment requirements and gain unauthorized administrative roles without authentication. No patch is currently available for this vulnerability.
The Media Library Assistant plugin for WordPress through version 3.33 fails to validate user permissions in the mla_update_compat_fields_action() function, allowing authenticated subscribers and higher-privileged users to modify taxonomy terms on any attachment. This authorization bypass enables attackers to alter attachment metadata without proper capability restrictions. A patch is not currently available.
Auth bypass in Login with Salesforce WordPress plugin through 1.0.2.
Deserialization of untrusted data in WooCommerce License Manager (fs-license-manager) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
The ThemeREX Healer WordPress theme through version 1.0.0 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server through improper handling of file include statements. An attacker can exploit this to access sensitive configuration files, database credentials, and other protected data without authentication. No patch is currently available and exploitation requires no user interaction.
Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices contains a security vulnerability (CVSS 7.1).
The SiteGuard WP Plugin for WordPress through version 1.7.9 contains a guessable CAPTCHA implementation that allows attackers to bypass security protections without authentication. This vulnerability enables attackers to circumvent the plugin's functionality controls and potentially gain unauthorized access to protected resources or perform actions that should be restricted.
The Claue WordPress theme through version 2.2.7 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can exploit this by crafting a malicious URL to steal sensitive information, perform unauthorized actions, or compromise user sessions without requiring any special privileges or interaction with the application itself.
vanquish WooCommerce Order Details woocommerce-order-details is affected by missing authorization (CVSS 7.5).
kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon is affected by missing authorization (CVSS 6.5).
WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product is affected by cross-site scripting (xss) (CVSS 6.5).
Mikado-Themes TopFit - Fitness and Gym WordPress Theme topfit is affected by php remote file inclusion (CVSS 8.1).
Mikado-Themes TopScorer - Sports WordPress Theme topscorer is affected by php remote file inclusion (CVSS 8.1).
The AncoraThemes Apollo | Night Club, DJ Event WordPress Theme through version 1.3.1 contains a PHP local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server. This CWE-98 weakness in improper filename control could enable attackers to access sensitive configuration files or other protected data. No patch is currently available for affected installations.
The Buzz Stone WordPress theme through version 1.0.2 contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files on the affected server. With network access and no user interaction required, an attacker can leverage improper input validation in file inclusion functions to access sensitive data or potentially execute code. No patch is currently available for this vulnerability affecting WordPress installations using the vulnerable theme versions.
The Chronicle WordPress theme version 1.0 and earlier contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files from the affected server. An attacker can exploit this weakness to access sensitive configuration files, database credentials, or other confidential data stored on the web server. Currently, no patch is available and the vulnerability has a 0.2% probability of exploitation according to EPSS scoring.
The Consultor WordPress theme through version 1.2.4 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files on the server. An attacker can exploit this weakness to access sensitive configuration files, database credentials, and other confidential data. Currently no patch is available, leaving all affected installations vulnerable.
The AC Services WordPress theme through version 1.2.5 contains a local file inclusion vulnerability in PHP that enables unauthenticated remote attackers to read arbitrary files on affected servers. This high-severity flaw allows attackers to access sensitive configuration files and potentially extract credentials or other confidential data. WordPress installations using this theme should upgrade immediately as no patch is currently available.
The CasaMia WordPress theme through version 1.1.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. This high-severity flaw (CVSS 8.1) could expose sensitive configuration files, database credentials, and other confidential data stored on affected WordPress installations. No patch is currently available for this vulnerability.
Improper access control in the Blend Media WordPress CTA easy-sticky-sidebar plugin through version 1.7.4 allows unauthenticated attackers to exploit misconfigured security levels and gain unauthorized access to sensitive functionality. The vulnerability affects WordPress installations running the vulnerable plugin versions and could enable attackers to read restricted information or disrupt service availability. No security patch is currently available.
Builderall Builderall Builder for WordPress builderall-cheetah-for-wp is affected by code injection (CVSS 9.9).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress theatre allows Stored XSS.This issue affects Theater for WordPress: from n/a through <= 0.19. [CVSS 6.5 MEDIUM]
Unrestricted file upload in Lendiz (lendiz) WordPress theme allows uploading web shells for remote code execution.
Insertion of Sensitive Information Into Sent Data vulnerability in Roland Murg WP Booking System wp-booking-system allows Retrieve Embedded Sensitive Data.This issue affects WP Booking System: from n/a through <= 2.0.19.12. [CVSS 5.8 MEDIUM]
SQL injection in the Apocalypse Meow WordPress plugin up to version 22.1.0 allows authenticated administrators to execute arbitrary SQL queries due to a flawed validation check combined with improper quote escaping. An authenticated attacker with administrator privileges can exploit this via the 'type' parameter to extract sensitive database information. No patch is currently available.
OoohBoi Steroids for Elementor (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Unauthenticated attackers can delete arbitrary WordPress media attachments in Fluent Forms Pro Add On Pack versions up to 6.1.17 due to missing authorization checks in the deleteFile() AJAX action. The vulnerable endpoint is accessible to unauthenticated users and accepts an attachment_id parameter without nonce verification or capability validation. No patch is currently available for this medium-severity vulnerability affecting WordPress sites.
Stored XSS in Fluent Forms Pro for WordPress through version 6.1.17 allows unauthenticated attackers to inject malicious scripts into draft form submissions due to missing authentication and insufficient input sanitization on the fluentform_step_form_save_data AJAX action. The injected scripts execute when site administrators access partial form entries, potentially compromising administrator accounts and site integrity. No patch is currently available.
The Seraphinite Accelerator WordPress plugin through version 2.28.14 fails to validate user permissions on the `seraph_accel_api` AJAX endpoint, allowing authenticated subscribers and above to access sensitive operational data including cache status and database state. An attacker with a basic WordPress account can exploit the missing capability checks in the `OnAdminApi_GetData()` function to enumerate system information without administrative rights. No patch is currently available for this information disclosure vulnerability.
The Seraphinite Accelerator WordPress plugin through version 2.28.14 fails to properly validate user permissions on the LogClear AJAX function, allowing authenticated subscribers and higher-privileged users to delete the plugin's debug and operational logs. This capability bypass could enable attackers to cover their tracks or disrupt audit trails on affected WordPress installations. The vulnerability remains unpatched and has not been observed in active exploitation.
Stored XSS in My Calendar WordPress plugin (versions up to 3.7.3) allows authenticated contributors to inject malicious scripts via the template shortcode attribute, which bypasses sanitization through improper use of stripcslashes() at render time. When users access pages containing the injected shortcode, the malicious scripts execute in their browsers. No patch is currently available.
Gutena Forms plugin for WordPress allows authenticated Contributor-level users to modify arbitrary site options through insufficient authorization checks in the save_gutena_forms_schema() function (versions up to 1.6.0), enabling attackers to alter critical settings such as user registration policies or inject malicious configurations. This integrity vulnerability could be exploited to disable site functionality or bypass security configurations without administrative credentials.
Reflected XSS in the All-in-One Video Gallery WordPress plugin through version 4.7.1 allows unauthenticated attackers to inject malicious scripts via the 'vi' parameter due to improper input validation. An attacker can craft a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available.
The JS Help Desk - AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the 'js-support-ticket-token-tkstatus' cookie in version 2.8.2 due to an incomplete fix for CVE-2023-50839 where a second sink was left with insufficient escaping on the user supplied values and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
Envira Gallery for WordPress (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The Enable Media Replace plugin for WordPress through version 4.1.7 fails to properly validate user permissions in the RemoveBackGroundViewController::load function, allowing authenticated users with Author-level privileges to replace arbitrary attachments with background-removed versions. This integrity issue affects WordPress installations using the vulnerable plugin and requires user authentication to exploit. No patch is currently available.
The WP-Members Membership Plugin for WordPress through version 3.5.5.1 contains a SQL injection vulnerability in the [wpmem_user_membership_posts] shortcode's 'order_by' parameter due to insufficient input escaping and query preparation. Authenticated attackers with Contributor-level access or higher can exploit this to execute arbitrary SQL queries and extract sensitive database information. No patch is currently available.
Unauthenticated disclosure of WordPress user email addresses in Mail Mint plugin versions before 1.19.5 through an unprotected REST API endpoint allows remote attackers to enumerate users without authentication. Public exploit code exists for this vulnerability, and no patch is currently available. This affects all installations of the Mail Mint plugin below the patched version.
Stored XSS in the Morkva UA Shipping WordPress plugin through version 1.7.9 allows authenticated administrators to inject malicious scripts into plugin settings that execute for all site visitors, affecting multi-site installations and sites with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in the admin interface. Exploitation requires high-privilege administrator access and no patch is currently available.
Stored XSS in WordPress Taskbuilder plugin versions up to 5.0.3 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users, affecting multi-site installations or those with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in the plugin's administrative interface. No patch is currently available.
Unauthenticated attackers can extract sensitive customer data from WPBookit plugin versions 1.0.8 and earlier through an authorization bypass in the 'get_customer_list' endpoint, exposing names, emails, phone numbers, dates of birth, and gender information. This network-accessible vulnerability affects all WordPress installations running the vulnerable plugin without requiring authentication or user interaction. No patch is currently available.
Stored XSS in WPBookit plugin through version 1.0.8 allows unauthenticated attackers to inject malicious scripts via user name and email fields due to improper input validation. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially compromising user sessions and data. No patch is currently available for this vulnerability.
SQL injection in the Email Subscribers by Icegram Express WordPress plugin through version 5.9.16 allows authenticated administrators to execute arbitrary database queries via the 'workflow_ids' parameter due to insufficient input escaping. An attacker with admin-level access could exploit this to extract sensitive information from the database. No patch is currently available for this vulnerability.
The PostX WordPress plugin versions up to 5.0.8 contains a server-side request forgery vulnerability in its REST API endpoints that allows authenticated administrators to make arbitrary web requests from the server to internal or external systems. This could enable attackers with admin privileges to query, exfiltrate, or modify data from internal services accessible to the web server. No patch is currently available for this vulnerability.
Stored cross-site scripting in WP Zendesk for Contact Form 7 and related WordPress plugins through version 1.1.5 allows unauthenticated attackers to inject malicious scripts into form submissions that execute in other users' browsers. The vulnerability stems from inadequate input sanitization and output escaping on submitted form data. No patch is currently available.
Privilege escalation in User Registration & Membership WordPress plugin.
Auth bypass in All-in-One Microsoft 365 SSO WordPress plugin.
Page Builder by SiteOrigin (WordPress plugin) versions up to 2.33.5 is affected by path traversal (CVSS 8.8).
Server-Side Request Forgery in the Uncanny Automator WordPress plugin up to version 7.0.0.3 allows authenticated administrators to make arbitrary web requests from the affected server and store remote file contents locally, potentially enabling remote code execution. The vulnerability requires administrator-level privileges and has no available patch. Attackers can exploit this to interact with internal services and upload arbitrary files to the web server.
Calendar Booking Plugin for Appointments and Event versions up to 5.2.7 is affected by sql injection (CVSS 6.5).
Authenticated agents in the LatePoint WordPress plugin versions up to 5.2.7 can arbitrarily link customer accounts to any user ID during account creation, enabling privilege escalation to administrator accounts. An attacker with agent-level access can exploit this to reset an administrator's password and gain full site control. No patch is currently available.
AI ChatBot with ChatGPT and Content Generator by AYS (WordPress plugin) is affected by missing authorization (CVSS 5.3).
Stored cross-site scripting in Blocksy WordPress theme versions up to 2.1.30 allows authenticated contributors and above to inject malicious scripts through insufficiently sanitized metadata fields. When users access pages containing injected payloads, the scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available for this vulnerability.
Unauthenticated attackers can exploit blind SQL injection in the Contest Gallery WordPress plugin through improperly sanitized email parameters to extract sensitive database information without authentication. Affected versions through 28.1.4 fail to properly escape user input in the 'cgLostPasswordEmail' and 'cgl_mail' parameters, allowing attackers to inject arbitrary SQL commands. No patch is currently available for all vulnerable versions.
Master Addons for Elementor Premium (WordPress plugin) versions up to 2.1.3 is affected by code injection (CVSS 8.8).
Unauthenticated SQL injection in wpForo 2.4.14 allows remote attackers to extract sensitive data from WordPress databases through the wpfob parameter via blind boolean-based attacks. The vulnerability exploits inadequate sanitization of ORDER BY clause identifiers, enabling credential theft without authentication. No patch is currently available for affected installations.
Unauthorized usergroup reassignment in wpForo Forum 2.4.14 allows any authenticated user to remap all forum usergroups to arbitrary WordPress roles through a missing capability check in the wpforo_synch_roles AJAX handler. An attacker can obtain a valid nonce from the publicly accessible usergroups admin page and execute bulk privilege escalation affecting all forum users. No patch is currently available for this vulnerability.
The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
Unauthenticated attackers can inject malicious serialized PHP objects into the WP Mail Logging plugin (versions up to 1.15.0) through email forms, exploiting unsafe deserialization in the BaseModel class. When administrators view the logged emails, the injected payload deserializes into arbitrary PHP objects, potentially enabling code execution if leveraged with gadget chains from other installed plugins or themes. No patch is currently available.
Super Stage WP WordPre versions up to 1.0.1 is affected by deserialization of untrusted data (CVSS 6.5).
Featured Image from Content (featured-image-from-content) WordPress plugin versions prior to 1.7 contain an authenticated server-side request forgery vulnerability that allows Author-level users to fetch internal HTTP resources.
SQL injection in the MailArchiver WordPress plugin through version 4.5.0 allows authenticated administrators to extract sensitive database information by injecting malicious SQL commands via the 'logid' parameter due to improper input escaping. The vulnerability requires high-level privileges and administrator credentials to exploit, limiting its risk to insider threats or compromised administrative accounts. No patch is currently available for this medium-severity issue.
The Japanized for WooCommerce plugin through version 2.8.4 fails to properly validate webhook signatures, allowing unauthenticated attackers to bypass payment authentication and fraudulently update order statuses to "Processing" or "Completed" without actual payment. An attacker can exploit this by omitting the signature header in POST requests to the Paidy webhook endpoint, resulting in the permission check unconditionally returning true. No patch is currently available.
The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. [CVSS 6.5 MEDIUM]
Stored XSS in Simple Download Monitor plugin for WordPress through version 4.0.5 allows authenticated users with Contributor privileges or higher to inject malicious scripts via custom fields that execute in other users' browsers. The vulnerability stems from inadequate input sanitization and output encoding, enabling attackers to compromise page integrity and steal user data. No patch is currently available.
Stored DOM-based XSS in WordPress WP Accessibility plugin (versions up to 2.3.1) allows authenticated contributors and above to inject malicious scripts via image alt attributes when the Long Description UI feature is enabled and configured as a link. The injected scripts execute in the browsers of any user accessing affected pages. No patch is currently available and exploitation requires specific plugin settings to be enabled.
Stored XSS in WordPress Stock Ticker plugin through version 3.26.1 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users viewing affected pages. The vulnerability requires administrator privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.
Stored XSS in MailArchiver plugin for WordPress versions up to 4.4.0 allows authenticated administrators to inject malicious scripts through insufficiently sanitized admin settings, affecting multi-site installations and those with disabled unfiltered_html. Attackers with admin privileges can execute arbitrary JavaScript that persists and triggers when other users access affected pages. No patch is currently available.
The ProfileGrid WordPress plugin through version 5.9.8.2 lacks nonce validation on membership request management functions, allowing unauthenticated attackers to forge requests that approve or deny group membership through social engineering of site administrators. An attacker can exploit this CSRF vulnerability to manipulate group membership status by tricking an admin into clicking a malicious link. No patch is currently available for this medium-severity vulnerability.
Unauthorized message deletion in ProfileGrid WordPress plugin versions up to 5.9.8.1 allows authenticated subscribers and above to delete arbitrary messages from any user due to missing capability checks in the pg_delete_msg() function. An attacker can exploit this by sending a crafted request with a valid message ID to remove messages without proper authorization. No patch is currently available for this vulnerability.
Reflected XSS in CM Custom Reports plugin for WordPress (versions up to 1.2.7) allows unauthenticated attackers to inject malicious scripts through inadequately sanitized 'date_from' and 'date_to' parameters. An attacker can exploit this by tricking users into clicking malicious links, causing arbitrary scripts to execute in their browsers with access to sensitive data or session information. No patch is currently available.
SQL injection in WordPress Community Events plugin up to version 1.5.8 allows authenticated administrators to extract sensitive database information through malicious CSV file uploads exploiting inadequately sanitized venue name fields. The vulnerability requires high-level privileges and manual interaction but poses a significant confidentiality risk to WordPress installations using this plugin. No patch is currently available.
PHP object injection in the JS Archive List WordPress plugin (versions up to 6.1.7) allows authenticated contributors and above to deserialize untrusted data through the shortcode 'included' parameter. While no direct exploitation path exists in the plugin itself, attackers could leverage gadget chains from other installed plugins or themes to achieve arbitrary file deletion, information disclosure, or remote code execution. A patch is not currently available.
Stored XSS in the Hammas Calendar WordPress plugin through version 1.5.11 allows authenticated contributors and above to inject malicious scripts via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode due to inadequate input sanitization. When users access pages containing the injected payload, the scripts execute in their browsers, potentially leading to session hijacking, credential theft, or malware distribution. No patch is currently available.
Unauthenticated attackers can modify arbitrary custom event fields in the MDJM Event Management plugin for WordPress through versions 1.7.8.1 due to insufficient capability checks in the custom fields controller. This allows remote deletion of custom event data without requiring valid credentials or user interaction. No patch is currently available for this medium-severity vulnerability.
ZIP Code Based Content Protection (WordPress plugin) versions up to 1.0.2 is affected by sql injection (CVSS 7.5).
Unauthenticated attackers can retrieve rendered HTML content from private, draft, and password-protected reusable blocks in the Greenshift plugin for WordPress (versions up to 12.8.3) due to missing authorization checks in an AJAX handler combined with exposed nonce values. The vulnerability allows an attacker to specify arbitrary post IDs and bypass post status validation to access sensitive block content. No patch is currently available for this medium-severity information disclosure vulnerability.
The HUMN-1 AI Website Scanner & Human Certification plugin for WordPress through version 0.0.3 fails to validate user permissions on the winston_disconnect AJAX function, allowing authenticated Subscriber-level users to disconnect the plugin's API credentials. This capability check bypass enables authenticated attackers to disrupt the plugin's functionality by resetting its API connection settings without proper authorization.
The WP Frontend Profile WordPress plugin through version 1.3.8 lacks CSRF protections on the update_action function, enabling unauthenticated attackers to manipulate user registration approvals or rejections by deceiving administrators into clicking malicious links. This allows attackers to perform unauthorized account management actions without authentication, potentially disrupting legitimate user onboarding processes. No patch is currently available for this vulnerability.
WooCommerce plugin versions 5.4.0 through 10.5.2 fail to properly validate batch requests, enabling unauthenticated attackers to execute administrative actions through CSRF attacks, including creation of arbitrary admin accounts. The vulnerability affects all WordPress installations running vulnerable WooCommerce versions and requires user interaction to exploit. No patch is currently available.
Reflected cross-site scripting in WP All Import plugin versions up to 4.0.0 allows unauthenticated attackers to inject malicious scripts through the 'filepath' parameter due to improper input validation and output encoding. Successful exploitation requires tricking users into clicking a specially crafted link, after which arbitrary JavaScript executes in their browser session. A patch is not currently available.
Auth bypass in PowerPack for LearnDash WordPress plugin before 1.3.0.
WP eCommerce WordPre versions up to 3.15.1 is affected by cross-site request forgery (csrf) (CVSS 4.3).
animation and page builder block versions up to 12.8.3 is affected by information exposure (CVSS 5.3).
Stored Cross-Site Scripting in the Greenshift page builder plugin for WordPress (versions up to 12.8.5) allows authenticated users with Contributor privileges or higher to inject malicious scripts through the `_gspb_post_css` post meta and `dynamicAttributes` block attributes due to inadequate input sanitization. When other users access affected pages, the injected scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. No patch is currently available.
Unauthenticated attackers can upload arbitrary files to WordPress sites running the Drag and Drop Multiple File Upload - Contact Form 7 plugin through versions 1.3.7.3 due to insufficient file type validation when wildcard characters are configured in upload fields. Successful exploitation could enable remote code execution on the affected server. No patch is currently available.
WowOptin: Next-Gen Popup Maker plugin for WordPress versions up to 1.4.24 fails to validate user permissions on plugin installation functions, allowing authenticated subscribers to install and activate arbitrary plugins. This privilege escalation vulnerability enables low-privileged attackers to execute remote code with full WordPress permissions. No patch is currently available.
PHP Object Injection in Database for CF7/WPforms/Elementor forms WordPress plugin.
SQL injection in WordPress Page and Post Clone plugin up to version 6.3 allows authenticated contributors and above to extract sensitive database information through a second-order injection via the meta_key parameter. The vulnerability stems from insufficient input escaping and query preparation in the content_clone() function, with malicious payloads stored as post metadata and executed during the clone operation. No patch is currently available.
Unauthenticated attackers can escalate privileges in WordPress installations using the Membership Plugin - Restrict Content (versions up to 3.2.20) by registering with arbitrary membership levels, including inactive levels or those granting administrator access, due to insufficient validation of the rcp_level parameter. This allows attackers to bypass payment requirements and gain unauthorized administrative roles without authentication. No patch is currently available for this vulnerability.
The Media Library Assistant plugin for WordPress through version 3.33 fails to validate user permissions in the mla_update_compat_fields_action() function, allowing authenticated subscribers and higher-privileged users to modify taxonomy terms on any attachment. This authorization bypass enables attackers to alter attachment metadata without proper capability restrictions. A patch is not currently available.
Auth bypass in Login with Salesforce WordPress plugin through 1.0.2.
Deserialization of untrusted data in WooCommerce License Manager (fs-license-manager) WordPress theme allows PHP Object Injection, potentially enabling remote code execution through POP chains.
The ThemeREX Healer WordPress theme through version 1.0.0 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server through improper handling of file include statements. An attacker can exploit this to access sensitive configuration files, database credentials, and other protected data without authentication. No patch is currently available and exploitation requires no user interaction.
Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices contains a security vulnerability (CVSS 7.1).
The SiteGuard WP Plugin for WordPress through version 1.7.9 contains a guessable CAPTCHA implementation that allows attackers to bypass security protections without authentication. This vulnerability enables attackers to circumvent the plugin's functionality controls and potentially gain unauthorized access to protected resources or perform actions that should be restricted.
The Claue WordPress theme through version 2.2.7 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can exploit this by crafting a malicious URL to steal sensitive information, perform unauthorized actions, or compromise user sessions without requiring any special privileges or interaction with the application itself.
vanquish WooCommerce Order Details woocommerce-order-details is affected by missing authorization (CVSS 7.5).
kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon is affected by missing authorization (CVSS 6.5).
WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product is affected by cross-site scripting (xss) (CVSS 6.5).
Mikado-Themes TopFit - Fitness and Gym WordPress Theme topfit is affected by php remote file inclusion (CVSS 8.1).
Mikado-Themes TopScorer - Sports WordPress Theme topscorer is affected by php remote file inclusion (CVSS 8.1).
The AncoraThemes Apollo | Night Club, DJ Event WordPress Theme through version 1.3.1 contains a PHP local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server. This CWE-98 weakness in improper filename control could enable attackers to access sensitive configuration files or other protected data. No patch is currently available for affected installations.
The Buzz Stone WordPress theme through version 1.0.2 contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files on the affected server. With network access and no user interaction required, an attacker can leverage improper input validation in file inclusion functions to access sensitive data or potentially execute code. No patch is currently available for this vulnerability affecting WordPress installations using the vulnerable theme versions.
The Chronicle WordPress theme version 1.0 and earlier contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files from the affected server. An attacker can exploit this weakness to access sensitive configuration files, database credentials, or other confidential data stored on the web server. Currently, no patch is available and the vulnerability has a 0.2% probability of exploitation according to EPSS scoring.
The Consultor WordPress theme through version 1.2.4 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files on the server. An attacker can exploit this weakness to access sensitive configuration files, database credentials, and other confidential data. Currently no patch is available, leaving all affected installations vulnerable.
The AC Services WordPress theme through version 1.2.5 contains a local file inclusion vulnerability in PHP that enables unauthenticated remote attackers to read arbitrary files on affected servers. This high-severity flaw allows attackers to access sensitive configuration files and potentially extract credentials or other confidential data. WordPress installations using this theme should upgrade immediately as no patch is currently available.
The CasaMia WordPress theme through version 1.1.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. This high-severity flaw (CVSS 8.1) could expose sensitive configuration files, database credentials, and other confidential data stored on affected WordPress installations. No patch is currently available for this vulnerability.
Improper access control in the Blend Media WordPress CTA easy-sticky-sidebar plugin through version 1.7.4 allows unauthenticated attackers to exploit misconfigured security levels and gain unauthorized access to sensitive functionality. The vulnerability affects WordPress installations running the vulnerable plugin versions and could enable attackers to read restricted information or disrupt service availability. No security patch is currently available.
Builderall Builderall Builder for WordPress builderall-cheetah-for-wp is affected by code injection (CVSS 9.9).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress theatre allows Stored XSS.This issue affects Theater for WordPress: from n/a through <= 0.19. [CVSS 6.5 MEDIUM]
Unrestricted file upload in Lendiz (lendiz) WordPress theme allows uploading web shells for remote code execution.
Insertion of Sensitive Information Into Sent Data vulnerability in Roland Murg WP Booking System wp-booking-system allows Retrieve Embedded Sensitive Data.This issue affects WP Booking System: from n/a through <= 2.0.19.12. [CVSS 5.8 MEDIUM]
SQL injection in the Apocalypse Meow WordPress plugin up to version 22.1.0 allows authenticated administrators to execute arbitrary SQL queries due to a flawed validation check combined with improper quote escaping. An authenticated attacker with administrator privileges can exploit this via the 'type' parameter to extract sensitive database information. No patch is currently available.
OoohBoi Steroids for Elementor (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Unauthenticated attackers can delete arbitrary WordPress media attachments in Fluent Forms Pro Add On Pack versions up to 6.1.17 due to missing authorization checks in the deleteFile() AJAX action. The vulnerable endpoint is accessible to unauthenticated users and accepts an attachment_id parameter without nonce verification or capability validation. No patch is currently available for this medium-severity vulnerability affecting WordPress sites.
Stored XSS in Fluent Forms Pro for WordPress through version 6.1.17 allows unauthenticated attackers to inject malicious scripts into draft form submissions due to missing authentication and insufficient input sanitization on the fluentform_step_form_save_data AJAX action. The injected scripts execute when site administrators access partial form entries, potentially compromising administrator accounts and site integrity. No patch is currently available.
The Seraphinite Accelerator WordPress plugin through version 2.28.14 fails to validate user permissions on the `seraph_accel_api` AJAX endpoint, allowing authenticated subscribers and above to access sensitive operational data including cache status and database state. An attacker with a basic WordPress account can exploit the missing capability checks in the `OnAdminApi_GetData()` function to enumerate system information without administrative rights. No patch is currently available for this information disclosure vulnerability.
The Seraphinite Accelerator WordPress plugin through version 2.28.14 fails to properly validate user permissions on the LogClear AJAX function, allowing authenticated subscribers and higher-privileged users to delete the plugin's debug and operational logs. This capability bypass could enable attackers to cover their tracks or disrupt audit trails on affected WordPress installations. The vulnerability remains unpatched and has not been observed in active exploitation.
Stored XSS in My Calendar WordPress plugin (versions up to 3.7.3) allows authenticated contributors to inject malicious scripts via the template shortcode attribute, which bypasses sanitization through improper use of stripcslashes() at render time. When users access pages containing the injected shortcode, the malicious scripts execute in their browsers. No patch is currently available.
Gutena Forms plugin for WordPress allows authenticated Contributor-level users to modify arbitrary site options through insufficient authorization checks in the save_gutena_forms_schema() function (versions up to 1.6.0), enabling attackers to alter critical settings such as user registration policies or inject malicious configurations. This integrity vulnerability could be exploited to disable site functionality or bypass security configurations without administrative credentials.
Reflected XSS in the All-in-One Video Gallery WordPress plugin through version 4.7.1 allows unauthenticated attackers to inject malicious scripts via the 'vi' parameter due to improper input validation. An attacker can craft a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available.
The JS Help Desk - AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the 'js-support-ticket-token-tkstatus' cookie in version 2.8.2 due to an incomplete fix for CVE-2023-50839 where a second sink was left with insufficient escaping on the user supplied values and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
Envira Gallery for WordPress (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The Enable Media Replace plugin for WordPress through version 4.1.7 fails to properly validate user permissions in the RemoveBackGroundViewController::load function, allowing authenticated users with Author-level privileges to replace arbitrary attachments with background-removed versions. This integrity issue affects WordPress installations using the vulnerable plugin and requires user authentication to exploit. No patch is currently available.
The WP-Members Membership Plugin for WordPress through version 3.5.5.1 contains a SQL injection vulnerability in the [wpmem_user_membership_posts] shortcode's 'order_by' parameter due to insufficient input escaping and query preparation. Authenticated attackers with Contributor-level access or higher can exploit this to execute arbitrary SQL queries and extract sensitive database information. No patch is currently available.
Unauthenticated disclosure of WordPress user email addresses in Mail Mint plugin versions before 1.19.5 through an unprotected REST API endpoint allows remote attackers to enumerate users without authentication. Public exploit code exists for this vulnerability, and no patch is currently available. This affects all installations of the Mail Mint plugin below the patched version.
Stored XSS in the Morkva UA Shipping WordPress plugin through version 1.7.9 allows authenticated administrators to inject malicious scripts into plugin settings that execute for all site visitors, affecting multi-site installations and sites with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in the admin interface. Exploitation requires high-privilege administrator access and no patch is currently available.
Stored XSS in WordPress Taskbuilder plugin versions up to 5.0.3 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users, affecting multi-site installations or those with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in the plugin's administrative interface. No patch is currently available.
Unauthenticated attackers can extract sensitive customer data from WPBookit plugin versions 1.0.8 and earlier through an authorization bypass in the 'get_customer_list' endpoint, exposing names, emails, phone numbers, dates of birth, and gender information. This network-accessible vulnerability affects all WordPress installations running the vulnerable plugin without requiring authentication or user interaction. No patch is currently available.
Stored XSS in WPBookit plugin through version 1.0.8 allows unauthenticated attackers to inject malicious scripts via user name and email fields due to improper input validation. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially compromising user sessions and data. No patch is currently available for this vulnerability.
SQL injection in the Email Subscribers by Icegram Express WordPress plugin through version 5.9.16 allows authenticated administrators to execute arbitrary database queries via the 'workflow_ids' parameter due to insufficient input escaping. An attacker with admin-level access could exploit this to extract sensitive information from the database. No patch is currently available for this vulnerability.
The PostX WordPress plugin versions up to 5.0.8 contains a server-side request forgery vulnerability in its REST API endpoints that allows authenticated administrators to make arbitrary web requests from the server to internal or external systems. This could enable attackers with admin privileges to query, exfiltrate, or modify data from internal services accessible to the web server. No patch is currently available for this vulnerability.
Stored cross-site scripting in WP Zendesk for Contact Form 7 and related WordPress plugins through version 1.1.5 allows unauthenticated attackers to inject malicious scripts into form submissions that execute in other users' browsers. The vulnerability stems from inadequate input sanitization and output escaping on submitted form data. No patch is currently available.
Privilege escalation in User Registration & Membership WordPress plugin.
Auth bypass in All-in-One Microsoft 365 SSO WordPress plugin.
Page Builder by SiteOrigin (WordPress plugin) versions up to 2.33.5 is affected by path traversal (CVSS 8.8).
Server-Side Request Forgery in the Uncanny Automator WordPress plugin up to version 7.0.0.3 allows authenticated administrators to make arbitrary web requests from the affected server and store remote file contents locally, potentially enabling remote code execution. The vulnerability requires administrator-level privileges and has no available patch. Attackers can exploit this to interact with internal services and upload arbitrary files to the web server.
Calendar Booking Plugin for Appointments and Event versions up to 5.2.7 is affected by sql injection (CVSS 6.5).
Authenticated agents in the LatePoint WordPress plugin versions up to 5.2.7 can arbitrarily link customer accounts to any user ID during account creation, enabling privilege escalation to administrator accounts. An attacker with agent-level access can exploit this to reset an administrator's password and gain full site control. No patch is currently available.
AI ChatBot with ChatGPT and Content Generator by AYS (WordPress plugin) is affected by missing authorization (CVSS 5.3).
Stored cross-site scripting in Blocksy WordPress theme versions up to 2.1.30 allows authenticated contributors and above to inject malicious scripts through insufficiently sanitized metadata fields. When users access pages containing injected payloads, the scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available for this vulnerability.
Unauthenticated attackers can exploit blind SQL injection in the Contest Gallery WordPress plugin through improperly sanitized email parameters to extract sensitive database information without authentication. Affected versions through 28.1.4 fail to properly escape user input in the 'cgLostPasswordEmail' and 'cgl_mail' parameters, allowing attackers to inject arbitrary SQL commands. No patch is currently available for all vulnerable versions.
Master Addons for Elementor Premium (WordPress plugin) versions up to 2.1.3 is affected by code injection (CVSS 8.8).
Unauthenticated SQL injection in wpForo 2.4.14 allows remote attackers to extract sensitive data from WordPress databases through the wpfob parameter via blind boolean-based attacks. The vulnerability exploits inadequate sanitization of ORDER BY clause identifiers, enabling credential theft without authentication. No patch is currently available for affected installations.
Unauthorized usergroup reassignment in wpForo Forum 2.4.14 allows any authenticated user to remap all forum usergroups to arbitrary WordPress roles through a missing capability check in the wpforo_synch_roles AJAX handler. An attacker can obtain a valid nonce from the publicly accessible usergroups admin page and execute bulk privilege escalation affecting all forum users. No patch is currently available for this vulnerability.
The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
Unauthenticated attackers can inject malicious serialized PHP objects into the WP Mail Logging plugin (versions up to 1.15.0) through email forms, exploiting unsafe deserialization in the BaseModel class. When administrators view the logged emails, the injected payload deserializes into arbitrary PHP objects, potentially enabling code execution if leveraged with gadget chains from other installed plugins or themes. No patch is currently available.
Super Stage WP WordPre versions up to 1.0.1 is affected by deserialization of untrusted data (CVSS 6.5).
Featured Image from Content (featured-image-from-content) WordPress plugin versions prior to 1.7 contain an authenticated server-side request forgery vulnerability that allows Author-level users to fetch internal HTTP resources.
SQL injection in the MailArchiver WordPress plugin through version 4.5.0 allows authenticated administrators to extract sensitive database information by injecting malicious SQL commands via the 'logid' parameter due to improper input escaping. The vulnerability requires high-level privileges and administrator credentials to exploit, limiting its risk to insider threats or compromised administrative accounts. No patch is currently available for this medium-severity issue.
The Japanized for WooCommerce plugin through version 2.8.4 fails to properly validate webhook signatures, allowing unauthenticated attackers to bypass payment authentication and fraudulently update order statuses to "Processing" or "Completed" without actual payment. An attacker can exploit this by omitting the signature header in POST requests to the Paidy webhook endpoint, resulting in the permission check unconditionally returning true. No patch is currently available.
The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. [CVSS 6.5 MEDIUM]
Stored XSS in Simple Download Monitor plugin for WordPress through version 4.0.5 allows authenticated users with Contributor privileges or higher to inject malicious scripts via custom fields that execute in other users' browsers. The vulnerability stems from inadequate input sanitization and output encoding, enabling attackers to compromise page integrity and steal user data. No patch is currently available.
Stored DOM-based XSS in WordPress WP Accessibility plugin (versions up to 2.3.1) allows authenticated contributors and above to inject malicious scripts via image alt attributes when the Long Description UI feature is enabled and configured as a link. The injected scripts execute in the browsers of any user accessing affected pages. No patch is currently available and exploitation requires specific plugin settings to be enabled.