WordPress
Monthly
WP Wand AI Content Generation plugin for WordPress versions up to 1.3.07 contains an authorization bypass that allows authenticated users to modify or disable plugin functionality through improper access control enforcement. An attacker with user-level credentials can exploit this vulnerability to cause service disruption or data integrity issues. No patch is currently available.
WP-Lister Lite for eBay through version 3.8.5 contains a missing authorization vulnerability allowing unauthenticated remote attackers to bypass access controls and gain unauthorized information disclosure. The improper access control configuration enables attackers to exploit the plugin's functionality without proper authentication or permissions. No patch is currently available for affected WordPress installations.
WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite is affected by missing authorization (CVSS 4.3).
Improper access control in the WP Compress image optimizer plugin for WordPress (versions up to 6.60.28) enables unauthenticated attackers to modify plugin data and settings. The vulnerability allows unauthorized manipulation of the plugin's functionality without requiring user interaction or special network conditions. Currently, no patch is available for affected installations.
DOM-based cross-site scripting in VeronaLabs WP SMS plugin version 7.1 and earlier for WordPress allows authenticated attackers with high privileges to execute arbitrary JavaScript in users' browsers through improper input handling. An attacker could exploit this vulnerability to steal session cookies, perform unauthorized actions on behalf of users, or deface web pages. No patch is currently available for this vulnerability.
Melapress WP Activity Log wp-security-audit-log is affected by cross-site scripting (xss) (CVSS 6.5).
The rtMedia plugin for WordPress versions up to 4.7.8 exposes sensitive system information through an information disclosure vulnerability that allows unauthenticated remote attackers to retrieve embedded data. This vulnerability affects WordPress installations using rtMedia with BuddyPress and bbPress extensions, potentially exposing confidential system details to unauthorized users. No patch is currently available for this medium-severity issue.
Wisernotify team WiserReview Product Reviews for WooCommerce wiser-review is affected by missing authorization (CVSS 4.3).
WP Messiah TOP Table Of Contents top-table-of-contents is affected by missing authorization (CVSS 4.3).
The Alma payment gateway plugin for WooCommerce versions up to 5.16.1 contains an authorization bypass that allows unauthenticated attackers to modify data through improper access control enforcement. WordPress sites using this plugin are at risk of unauthorized changes to payment-related settings or configurations. A patch is not currently available, making immediate mitigation through plugin disabling or version control necessary.
WP Swings Ultimate Gift Cards For WooCommerce woo-gift-cards-lite is affected by missing authorization (CVSS 5.3).
YITHEMES YITH WooCommerce Compare yith-woocommerce-compare is affected by deserialization of untrusted data (CVSS 7.2).
The Dealia - Request a quote WordPress plugin fails to properly validate user permissions on AJAX endpoints, allowing authenticated users with Contributor-level access or higher to reset plugin configuration by exploiting an exposed admin nonce. An attacker with basic edit_posts capability can bypass the capability check and modify critical plugin settings without administrative privileges. The vulnerability affects all versions up to 1.0.6 and currently has no available patch.
Stored cross-site scripting in the WordPress XML-RPC Attacks Blocker plugin up to version 1.0 allows unauthenticated attackers to inject malicious scripts via the X-Forwarded-For HTTP header, which are then executed when administrators access the debug log page. The vulnerability stems from improper handling of untrusted header data without output escaping. No patch is currently available.
Complete data destruction in WordPress via the News Element Elementor Blog Magazine plugin (versions up to 1.0.8) due to insufficient authorization checks on an AJAX function, allowing authenticated users with Subscriber-level privileges to truncate core database tables and delete the uploads directory. The vulnerability requires user authentication but no additional interaction, making it exploitable by any low-privileged WordPress user with no patch currently available.
Stored XSS in WordPress Slidorion plugin through version 1.0.2 allows administrators to inject malicious scripts via insufficiently sanitized settings that execute when other users view affected pages. The vulnerability requires high privileges and only manifests in multisite WordPress installations or those with unfiltered HTML disabled. No patch is currently available.
Privilege escalation via account takeover in s2Member WordPress plugin <= 260127. Broken authentication allows taking over any user account.
Stored cross-site scripting in the Advance Block Extend WordPress plugin versions up to 1.0.4 allows authenticated contributors and above to inject malicious scripts through the TitleColor attribute in the Latest Posts block, which execute in the browsers of users viewing affected pages. The vulnerability stems from inadequate input sanitization and output escaping, enabling persistent payload injection. No patch is currently available.
Whatsiplus Scheduled Notification for Woocommerce (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Arbitrary file upload in Slider Future WordPress plugin.
Stored XSS in WordPress Easy Author Image plugin up to version 1.7 allows authenticated subscribers and above to inject malicious scripts through the author_profile_picture_url parameter due to inadequate input sanitization. Attackers can embed arbitrary JavaScript that executes when other users view affected pages, potentially compromising user sessions and data. No patch is currently available for this vulnerability.
Stored XSS in the TalkJS WordPress plugin through version 0.1.15 permits high-privilege administrators to inject malicious scripts into admin settings that execute for all users viewing affected pages, restricted to multisite installations or those with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in the plugin's settings handling. No patch is currently available.
Stored XSS in the Salavat Counter WordPress plugin up to version 0.9.5 allows authenticated administrators to inject malicious scripts through the 'image_url' parameter due to inadequate input sanitization and output escaping. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising site integrity and user sessions. A patch is not currently available.
Stored cross-site scripting in Tennis Court Bookings plugin for WordPress through version 1.2.7 allows administrators to inject malicious scripts into admin settings that execute when other users access affected pages. The vulnerability requires high privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.
PostmarkApp Email Integrator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
The Orderable WordPress plugin through version 1.20.0 fails to properly verify user permissions on plugin installation functions, enabling authenticated subscribers to install malicious plugins and achieve remote code execution. An attacker with minimal WordPress account privileges can exploit this capability check bypass to gain full server compromise without administrator credentials. No patch is currently available for this vulnerability (CVSS 8.8).
Local File Inclusion in Prodigy Commerce WordPress plugin <= 3.2.9.
Privilege escalation in WordPress Toret Manager plugin through version 1.2.7 allows authenticated subscribers to modify arbitrary site options due to missing capability checks in the trman_save_option functions. An attacker can exploit this to change the default registration role to administrator and enable user registration, granting themselves admin access to the vulnerable site. No patch is currently available.
The Shield Security plugin for WordPress versions up to 21.0.8 contains a CSRF vulnerability that allows attackers to bypass nonce verification through a manipulated parameter, enabling SQL injection attacks to extract database contents. An unauthenticated attacker can exploit this by tricking a site administrator into clicking a malicious link, potentially compromising sensitive information stored in the WordPress database. No patch is currently available for affected installations.
Shield Security plugin for WordPress versions up to 21.0.8 contains a reflected XSS vulnerability in the 'message' parameter that allows unauthenticated attackers to inject malicious scripts through specially crafted links. Successful exploitation requires tricking users into clicking a malicious link, resulting in execution of arbitrary JavaScript in their browser context. No patch is currently available for this vulnerability.
Stored XSS in the XO Event Calendar WordPress plugin through version 3.2.10 allows authenticated contributors and above to inject malicious scripts into pages via the 'xo_event_field' shortcode due to improper input sanitization. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. No patch is currently available.
Stored XSS in WordPress Groups plugin through the 'groups_group_info' shortcode allows authenticated contributors and higher-privileged users to inject malicious scripts into pages via inadequate input validation. When other users access the compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking or account compromise. No patch is currently available for versions up to 3.10.0.
The IDonate - Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2.1.5 to 2.1.9. [CVSS 8.8 HIGH]
The BackWPup - WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and including, 5.6.2. [CVSS 7.2 HIGH]
The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Virusdie - One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This is due to missing capability checks on the `vd_get_apikey` function which is hooked to `wp_ajax_virusdie_apikey`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve the site's Virusdie API key, which could be used to access the site owner's Virusdie account and potentially compromis...
The YaMaps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `yamap` shortcode parameters in all versions up to, and including, 0.6.40 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3_fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
The Image Hotspot by DevVN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hotspot_content' custom field meta in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `MfaEmailDisable` action in all versions up to, and including, 21.0.9. [CVSS 4.3 MEDIUM]
The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. [CVSS 5.3 MEDIUM]
SEO Plugin by Squirrly SEO (WordPress plugin) versions up to 12.4.14. is affected by missing authorization (CVSS 4.3).
The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or...
OneClick Chat to Order (WordPress plugin) versions up to 1.0.9. is affected by missing authorization (CVSS 2.7).
The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR (||) instead of AND (&&), causing the validation to fail when the nonce field is not empty OR when verification fails, rather than when it's empty AND verification fails. This makes it possible for unauthenticated attackers to modify the plugin's post type slug removal settings via a forged request ...
The iXML - Google XML sitemap generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'iXML_email' parameter in all versions up to, and including, 0.6 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. [CVSS 5.3 MEDIUM]
The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request,...
Privilege escalation via registration in Buyent Classified WordPress plugin.
The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $_REQUEST['post_id'] parameter without verification in the includes/blocks/build/breadcrumb-trail/render.php file. This makes it possible for unauthenticated attackers to enumerate and view breadcrumb trails for draft or private posts by manipulating the post_id parameter, revealing post titl...
The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The s2Member - Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2Eot' shortcode in all versions up to, and including, 251005 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
Apollo13 Framework Extensions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Album and Image Gallery plus Lightbox (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
WP AUDIO GALLERY (WordPress plugin) versions up to 2.0. is affected by missing authorization (CVSS 8.8).
The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. [CVSS 6.5 MEDIUM]
Privilege escalation in Lizza LMS Pro WordPress plugin <= 1.0.3.
The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on multiple AJAX actions including dieno_update_page_title. [CVSS 4.3 MEDIUM]
Country Blocker for AdSense (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11. This is due to the `accessibe_render_js_in_footer()` function logging the complete plugin options array to the browser console on public pages, without restricting output to privileged users or checking for debug mode. This makes it possible for unauthenticated attackers to view sensitive configuration data, including email addresses, accessiBe us...
The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire_admin_install_plugin() function in all versions up to, and including, 1.0.57. [CVSS 4.3 MEDIUM]
mobile friendly marketing popups. versions up to 4.4.2. contains a security vulnerability (CVSS 5.3).
The StatCounter - Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The CTX Feed - WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing() function in all versions up to, and including, 6.6.11. [CVSS 7.2 HIGH]
The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `placement_update_item()` function. [CVSS 4.3 MEDIUM]
Privilege escalation in Clasifico Listing WordPress plugin <= 2.0.
The Tablesome Table - Contact Form DB - WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to 1.2.1. [CVSS 8.8 HIGH]
The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. [CVSS 8.8 HIGH]
The Library Management System plugin for WordPress is vulnerable to SQL Injection via the 'bid' parameter in all versions up to, and including, 3.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the plugin not properly verifying that a user is authorized to perform file upload actions via the "ajax_checkout_attachment_upload" function. This makes it possible for unauthenticated attackers to upload files to the server, though file types are limited to WordPress's default allowed MIME types (i...
The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 4.0 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
The Smartsupp - live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Printful Integration for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.11 via the advanced size chart REST API endpoint. This is due to insufficient validation of user-supplied URLs before passing them to the download_url() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application which can b...
Mailchimp List Subscribe Form (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acf_photo_gallery_edit_save" function in all versions up to, and including, 3.0. [CVSS 4.3 MEDIUM]
The Mesmerize Companion plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the "openPageInCustomizer" and "openPageInDefaultEditor" functions in all versions up to, and including, 1.6.158. [CVSS 4.3 MEDIUM]
The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. [CVSS 7.5 HIGH]
Aruba HiSpeed Cache (WordPress plugin) versions up to 3.0.2. is affected by missing authorization (CVSS 6.5).
The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the dbstatus parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
The Booking Calendar plugin for WordPress through version 10.14.14 contains an insecure direct object reference in the handle_ajax_save function that fails to validate user-controlled input, allowing authenticated subscribers and above with booking permissions to modify other users' plugin settings and disrupt their booking calendar functionality. This vulnerability requires valid WordPress credentials but poses a direct threat to multi-user WordPress installations where booking functionality is delegated across accounts.
PHP Object Injection in the Advanced AJAX Product Filters plugin for WordPress (versions up to 3.1.9.6) allows authenticated authors and above to deserialize malicious objects through the Live Composer compatibility layer. While the plugin itself lacks a gadget chain for exploitation, the vulnerability can enable arbitrary file deletion, data theft, or remote code execution if a POP chain exists in installed themes or plugins. No patch is currently available, and exploitation requires valid WordPress user credentials.
The Ultimate Member WordPress plugin through version 2.11.1 contains a reflected XSS vulnerability in filter parameters that lack proper input sanitization and output escaping. Unauthenticated attackers can inject malicious scripts into pages by crafting malicious links and convincing users to click them. Successful exploitation results in arbitrary JavaScript execution in the context of the affected user's browser session.
The Plus Addons for Elementor plugin for WordPress fails to validate post-type-specific permissions in its AJAX handler, allowing authenticated authors and above to create draft posts for restricted post types like pages and custom post types. An attacker with author-level access can bypass capability checks by directly specifying arbitrary post types, potentially enabling unauthorized content creation or manipulation of restricted content areas.
The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison (==) instead of strict comparison (===). This makes it possible for unauthenticated attackers to bypass authentication using "magic hash" values when the expected MD5 hash prefix happens to be numeric-looking (matching pa...
SQL injection in the WP Import - Ultimate CSV Importer plugin for WordPress (versions up to 7.37) allows authenticated subscribers and higher-privileged users to inject malicious SQL commands through specially crafted filenames during file uploads. When the Single Import/Export feature is enabled on PHP versions below 8.0, attackers can extract sensitive database information by exploiting insufficient input validation. The vulnerability requires valid WordPress credentials but poses a medium risk due to its direct access to database contents.
The Bookster - WordPress Appointment Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘raw’ parameter in all versions up to, and including, 2.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 4.9 MEDIUM]
The Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress is vulnerable to authorization bypass due to type juggling in all versions up to, and including, 3.3.0. This is due to the use of loose comparison (==) instead of strict comparison (===) when validating the installation ID in the `/wp-json/mailin/v1/mailin_disconnect` REST API endpoint. This makes it possible for unauthenticated attackers to disconnect the Brevo integration, delete the API key, remove all subscription form...
Arbitrary file deletion in WP-DownloadManager plugin versions up to 1.69 allows high-privileged WordPress administrators to bypass path validation and remove critical system files through directory traversal in the file deletion parameter. Deletion of essential files like wp-config.php can result in remote code execution or complete site compromise. No patch is currently available.
WP Wand AI Content Generation plugin for WordPress versions up to 1.3.07 contains an authorization bypass that allows authenticated users to modify or disable plugin functionality through improper access control enforcement. An attacker with user-level credentials can exploit this vulnerability to cause service disruption or data integrity issues. No patch is currently available.
WP-Lister Lite for eBay through version 3.8.5 contains a missing authorization vulnerability allowing unauthenticated remote attackers to bypass access controls and gain unauthorized information disclosure. The improper access control configuration enables attackers to exploit the plugin's functionality without proper authentication or permissions. No patch is currently available for affected WordPress installations.
WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite is affected by missing authorization (CVSS 4.3).
Improper access control in the WP Compress image optimizer plugin for WordPress (versions up to 6.60.28) enables unauthenticated attackers to modify plugin data and settings. The vulnerability allows unauthorized manipulation of the plugin's functionality without requiring user interaction or special network conditions. Currently, no patch is available for affected installations.
DOM-based cross-site scripting in VeronaLabs WP SMS plugin version 7.1 and earlier for WordPress allows authenticated attackers with high privileges to execute arbitrary JavaScript in users' browsers through improper input handling. An attacker could exploit this vulnerability to steal session cookies, perform unauthorized actions on behalf of users, or deface web pages. No patch is currently available for this vulnerability.
Melapress WP Activity Log wp-security-audit-log is affected by cross-site scripting (xss) (CVSS 6.5).
The rtMedia plugin for WordPress versions up to 4.7.8 exposes sensitive system information through an information disclosure vulnerability that allows unauthenticated remote attackers to retrieve embedded data. This vulnerability affects WordPress installations using rtMedia with BuddyPress and bbPress extensions, potentially exposing confidential system details to unauthorized users. No patch is currently available for this medium-severity issue.
Wisernotify team WiserReview Product Reviews for WooCommerce wiser-review is affected by missing authorization (CVSS 4.3).
WP Messiah TOP Table Of Contents top-table-of-contents is affected by missing authorization (CVSS 4.3).
The Alma payment gateway plugin for WooCommerce versions up to 5.16.1 contains an authorization bypass that allows unauthenticated attackers to modify data through improper access control enforcement. WordPress sites using this plugin are at risk of unauthorized changes to payment-related settings or configurations. A patch is not currently available, making immediate mitigation through plugin disabling or version control necessary.
WP Swings Ultimate Gift Cards For WooCommerce woo-gift-cards-lite is affected by missing authorization (CVSS 5.3).
YITHEMES YITH WooCommerce Compare yith-woocommerce-compare is affected by deserialization of untrusted data (CVSS 7.2).
The Dealia - Request a quote WordPress plugin fails to properly validate user permissions on AJAX endpoints, allowing authenticated users with Contributor-level access or higher to reset plugin configuration by exploiting an exposed admin nonce. An attacker with basic edit_posts capability can bypass the capability check and modify critical plugin settings without administrative privileges. The vulnerability affects all versions up to 1.0.6 and currently has no available patch.
Stored cross-site scripting in the WordPress XML-RPC Attacks Blocker plugin up to version 1.0 allows unauthenticated attackers to inject malicious scripts via the X-Forwarded-For HTTP header, which are then executed when administrators access the debug log page. The vulnerability stems from improper handling of untrusted header data without output escaping. No patch is currently available.
Complete data destruction in WordPress via the News Element Elementor Blog Magazine plugin (versions up to 1.0.8) due to insufficient authorization checks on an AJAX function, allowing authenticated users with Subscriber-level privileges to truncate core database tables and delete the uploads directory. The vulnerability requires user authentication but no additional interaction, making it exploitable by any low-privileged WordPress user with no patch currently available.
Stored XSS in WordPress Slidorion plugin through version 1.0.2 allows administrators to inject malicious scripts via insufficiently sanitized settings that execute when other users view affected pages. The vulnerability requires high privileges and only manifests in multisite WordPress installations or those with unfiltered HTML disabled. No patch is currently available.
Privilege escalation via account takeover in s2Member WordPress plugin <= 260127. Broken authentication allows taking over any user account.
Stored cross-site scripting in the Advance Block Extend WordPress plugin versions up to 1.0.4 allows authenticated contributors and above to inject malicious scripts through the TitleColor attribute in the Latest Posts block, which execute in the browsers of users viewing affected pages. The vulnerability stems from inadequate input sanitization and output escaping, enabling persistent payload injection. No patch is currently available.
Whatsiplus Scheduled Notification for Woocommerce (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Arbitrary file upload in Slider Future WordPress plugin.
Stored XSS in WordPress Easy Author Image plugin up to version 1.7 allows authenticated subscribers and above to inject malicious scripts through the author_profile_picture_url parameter due to inadequate input sanitization. Attackers can embed arbitrary JavaScript that executes when other users view affected pages, potentially compromising user sessions and data. No patch is currently available for this vulnerability.
Stored XSS in the TalkJS WordPress plugin through version 0.1.15 permits high-privilege administrators to inject malicious scripts into admin settings that execute for all users viewing affected pages, restricted to multisite installations or those with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in the plugin's settings handling. No patch is currently available.
Stored XSS in the Salavat Counter WordPress plugin up to version 0.9.5 allows authenticated administrators to inject malicious scripts through the 'image_url' parameter due to inadequate input sanitization and output escaping. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising site integrity and user sessions. A patch is not currently available.
Stored cross-site scripting in Tennis Court Bookings plugin for WordPress through version 1.2.7 allows administrators to inject malicious scripts into admin settings that execute when other users access affected pages. The vulnerability requires high privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.
PostmarkApp Email Integrator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
The Orderable WordPress plugin through version 1.20.0 fails to properly verify user permissions on plugin installation functions, enabling authenticated subscribers to install malicious plugins and achieve remote code execution. An attacker with minimal WordPress account privileges can exploit this capability check bypass to gain full server compromise without administrator credentials. No patch is currently available for this vulnerability (CVSS 8.8).
Local File Inclusion in Prodigy Commerce WordPress plugin <= 3.2.9.
Privilege escalation in WordPress Toret Manager plugin through version 1.2.7 allows authenticated subscribers to modify arbitrary site options due to missing capability checks in the trman_save_option functions. An attacker can exploit this to change the default registration role to administrator and enable user registration, granting themselves admin access to the vulnerable site. No patch is currently available.
The Shield Security plugin for WordPress versions up to 21.0.8 contains a CSRF vulnerability that allows attackers to bypass nonce verification through a manipulated parameter, enabling SQL injection attacks to extract database contents. An unauthenticated attacker can exploit this by tricking a site administrator into clicking a malicious link, potentially compromising sensitive information stored in the WordPress database. No patch is currently available for affected installations.
Shield Security plugin for WordPress versions up to 21.0.8 contains a reflected XSS vulnerability in the 'message' parameter that allows unauthenticated attackers to inject malicious scripts through specially crafted links. Successful exploitation requires tricking users into clicking a malicious link, resulting in execution of arbitrary JavaScript in their browser context. No patch is currently available for this vulnerability.
Stored XSS in the XO Event Calendar WordPress plugin through version 3.2.10 allows authenticated contributors and above to inject malicious scripts into pages via the 'xo_event_field' shortcode due to improper input sanitization. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. No patch is currently available.
Stored XSS in WordPress Groups plugin through the 'groups_group_info' shortcode allows authenticated contributors and higher-privileged users to inject malicious scripts into pages via inadequate input validation. When other users access the compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking or account compromise. No patch is currently available for versions up to 3.10.0.
The IDonate - Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2.1.5 to 2.1.9. [CVSS 8.8 HIGH]
The BackWPup - WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and including, 5.6.2. [CVSS 7.2 HIGH]
The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Virusdie - One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This is due to missing capability checks on the `vd_get_apikey` function which is hooked to `wp_ajax_virusdie_apikey`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve the site's Virusdie API key, which could be used to access the site owner's Virusdie account and potentially compromis...
The YaMaps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `yamap` shortcode parameters in all versions up to, and including, 0.6.40 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3_fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]
The Image Hotspot by DevVN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hotspot_content' custom field meta in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `MfaEmailDisable` action in all versions up to, and including, 21.0.9. [CVSS 4.3 MEDIUM]
The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. [CVSS 5.3 MEDIUM]
SEO Plugin by Squirrly SEO (WordPress plugin) versions up to 12.4.14. is affected by missing authorization (CVSS 4.3).
The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or...
OneClick Chat to Order (WordPress plugin) versions up to 1.0.9. is affected by missing authorization (CVSS 2.7).
The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR (||) instead of AND (&&), causing the validation to fail when the nonce field is not empty OR when verification fails, rather than when it's empty AND verification fails. This makes it possible for unauthenticated attackers to modify the plugin's post type slug removal settings via a forged request ...
The iXML - Google XML sitemap generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'iXML_email' parameter in all versions up to, and including, 0.6 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. [CVSS 5.3 MEDIUM]
The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request,...
Privilege escalation via registration in Buyent Classified WordPress plugin.
The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $_REQUEST['post_id'] parameter without verification in the includes/blocks/build/breadcrumb-trail/render.php file. This makes it possible for unauthenticated attackers to enumerate and view breadcrumb trails for draft or private posts by manipulating the post_id parameter, revealing post titl...
The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The s2Member - Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2Eot' shortcode in all versions up to, and including, 251005 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
Apollo13 Framework Extensions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Album and Image Gallery plus Lightbox (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
WP AUDIO GALLERY (WordPress plugin) versions up to 2.0. is affected by missing authorization (CVSS 8.8).
The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. [CVSS 6.5 MEDIUM]
Privilege escalation in Lizza LMS Pro WordPress plugin <= 1.0.3.
The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on multiple AJAX actions including dieno_update_page_title. [CVSS 4.3 MEDIUM]
Country Blocker for AdSense (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11. This is due to the `accessibe_render_js_in_footer()` function logging the complete plugin options array to the browser console on public pages, without restricting output to privileged users or checking for debug mode. This makes it possible for unauthenticated attackers to view sensitive configuration data, including email addresses, accessiBe us...
The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire_admin_install_plugin() function in all versions up to, and including, 1.0.57. [CVSS 4.3 MEDIUM]
mobile friendly marketing popups. versions up to 4.4.2. contains a security vulnerability (CVSS 5.3).
The StatCounter - Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The CTX Feed - WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing() function in all versions up to, and including, 6.6.11. [CVSS 7.2 HIGH]
The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `placement_update_item()` function. [CVSS 4.3 MEDIUM]
Privilege escalation in Clasifico Listing WordPress plugin <= 2.0.
The Tablesome Table - Contact Form DB - WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to 1.2.1. [CVSS 8.8 HIGH]
The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. [CVSS 8.8 HIGH]
The Library Management System plugin for WordPress is vulnerable to SQL Injection via the 'bid' parameter in all versions up to, and including, 3.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the plugin not properly verifying that a user is authorized to perform file upload actions via the "ajax_checkout_attachment_upload" function. This makes it possible for unauthenticated attackers to upload files to the server, though file types are limited to WordPress's default allowed MIME types (i...
The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 4.0 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
The Smartsupp - live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Printful Integration for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.11 via the advanced size chart REST API endpoint. This is due to insufficient validation of user-supplied URLs before passing them to the download_url() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application which can b...
Mailchimp List Subscribe Form (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acf_photo_gallery_edit_save" function in all versions up to, and including, 3.0. [CVSS 4.3 MEDIUM]
The Mesmerize Companion plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the "openPageInCustomizer" and "openPageInDefaultEditor" functions in all versions up to, and including, 1.6.158. [CVSS 4.3 MEDIUM]
The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. [CVSS 7.5 HIGH]
Aruba HiSpeed Cache (WordPress plugin) versions up to 3.0.2. is affected by missing authorization (CVSS 6.5).
The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the dbstatus parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
The Booking Calendar plugin for WordPress through version 10.14.14 contains an insecure direct object reference in the handle_ajax_save function that fails to validate user-controlled input, allowing authenticated subscribers and above with booking permissions to modify other users' plugin settings and disrupt their booking calendar functionality. This vulnerability requires valid WordPress credentials but poses a direct threat to multi-user WordPress installations where booking functionality is delegated across accounts.
PHP Object Injection in the Advanced AJAX Product Filters plugin for WordPress (versions up to 3.1.9.6) allows authenticated authors and above to deserialize malicious objects through the Live Composer compatibility layer. While the plugin itself lacks a gadget chain for exploitation, the vulnerability can enable arbitrary file deletion, data theft, or remote code execution if a POP chain exists in installed themes or plugins. No patch is currently available, and exploitation requires valid WordPress user credentials.
The Ultimate Member WordPress plugin through version 2.11.1 contains a reflected XSS vulnerability in filter parameters that lack proper input sanitization and output escaping. Unauthenticated attackers can inject malicious scripts into pages by crafting malicious links and convincing users to click them. Successful exploitation results in arbitrary JavaScript execution in the context of the affected user's browser session.
The Plus Addons for Elementor plugin for WordPress fails to validate post-type-specific permissions in its AJAX handler, allowing authenticated authors and above to create draft posts for restricted post types like pages and custom post types. An attacker with author-level access can bypass capability checks by directly specifying arbitrary post types, potentially enabling unauthorized content creation or manipulation of restricted content areas.
The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison (==) instead of strict comparison (===). This makes it possible for unauthenticated attackers to bypass authentication using "magic hash" values when the expected MD5 hash prefix happens to be numeric-looking (matching pa...
SQL injection in the WP Import - Ultimate CSV Importer plugin for WordPress (versions up to 7.37) allows authenticated subscribers and higher-privileged users to inject malicious SQL commands through specially crafted filenames during file uploads. When the Single Import/Export feature is enabled on PHP versions below 8.0, attackers can extract sensitive database information by exploiting insufficient input validation. The vulnerability requires valid WordPress credentials but poses a medium risk due to its direct access to database contents.
The Bookster - WordPress Appointment Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘raw’ parameter in all versions up to, and including, 2.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 4.9 MEDIUM]
The Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress is vulnerable to authorization bypass due to type juggling in all versions up to, and including, 3.3.0. This is due to the use of loose comparison (==) instead of strict comparison (===) when validating the installation ID in the `/wp-json/mailin/v1/mailin_disconnect` REST API endpoint. This makes it possible for unauthenticated attackers to disconnect the Brevo integration, delete the API key, remove all subscription form...
Arbitrary file deletion in WP-DownloadManager plugin versions up to 1.69 allows high-privileged WordPress administrators to bypass path validation and remove critical system files through directory traversal in the file deletion parameter. Deletion of essential files like wp-config.php can result in remote code execution or complete site compromise. No patch is currently available.