CVE-2020-11530
A blind SQL injection vulnerability is present in Chop Slider 3, a WordPress plugin. The vulnerabili
A blind SQL injection vulnerability is present in Chop Slider 3, a WordPress plugin. The vulnerabili
The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) all
The GTranslate plugin before 2.8.52 for WordPress has Reflected XSS via a crafted link. This require
The Catch Breadcrumb plugin before 1.5.4 for WordPress allows Reflected XSS via the s parameter (a s
The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unr
An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an inse
The CodePeople Payment Form for PayPal Pro plugin before 1.1.65 for WordPress allows SQL Injection.
search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
Server-side request forgery (SSRF) in the Import XML and RSS Feeds (import-xml-feed) plugin 2.0.1 fo
A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for W
The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload
A cross-site scripting (XSS) vulnerability in wp-content/plugins/event-espresso-core-reg/admin_pages
The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended pa
An unauthenticated SQL Injection vulnerability in Good Layers LMS Plugin <= 2.1.4 exists due to the
The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticat
The EventON plugin through 3.0.5 for WordPress allows addons/?q= XSS via the search field.
The easy-wp-smtp plugin before 1.4.4 for WordPress allows Administrator account takeover, as exploit
The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File U
Directory traversal vulnerability in class-simple_job_board_resume_download_handler.php in the Simpl
An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows u
The 15Zine WordPress theme before 3.3.0 does not sanitise and escape the cbi parameter before output
The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS via Display_FAQ to Shortcodes/Display
A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker ap
The Time Capsule plugin before 1.21.16 for WordPress has an authentication bypass. Any request conta
The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing authorization check in iwp_m
The wpCentral plugin before 1.5.1 for WordPress allows disclosure of the connection key.
BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress f
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, d
Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.
The LikeBtn WordPress Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.32 was vulnerable to
The WordPress Backup and Migrate Plugin – Backup Guard WordPress plugin before 1.6.0 did not ensure
In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX ac
This Advanced Order Export For WooCommerce WordPress plugin before 3.1.8 helps you to easily export
The JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, w
There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to
The OpenID Connect Generic Client WordPress plugin 3.8.0 and 3.8.1 did not sanitise the login error
An Improper Access Control vulnerability was discovered in the Controlled Admin Access WordPress plu
In the AccessAlly WordPress plugin before 3.5.7, the file 'resource/frontend/product/product-shortco
The Jetpack Scan team identified a Local File Disclosure vulnerability in the Patreon WordPress plug
The Goto WordPress theme before 2.0 does not sanitise the keywords and start_date GET parameter on i
The Imagements WordPress plugin through 1.2.5 allows images to be uploaded in comments, however only
The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not properly sanitise the k
The Pie Register – User Registration Forms. Invitation based registrations, Custom Login, Payments W
The Stop Spammers WordPress plugin before 2021.9 did not escape user input when blocking requests (s
The Ultimate Maps by Supsystic WordPress plugin before 1.2.5 did not sanitise the tab parameter of i
The Popup by Supsystic WordPress plugin before 1.10.5 did not sanitise the tab parameter of its opti
The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of i
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use t
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file up
The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin thro
The settings page of the Redirect 404 to parent WordPress plugin before 1.3.1 did not properly sanit
The settings page of the Select All Categories and Taxonomies, Change Checkbox to Radio Buttons Word
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.69 was vulner
The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin
The search feature of the Mediumish WordPress theme through 1.0.47 does not properly sanitise it's '
The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise and escape it
The Car Repair Services & Auto Mechanic WordPress theme before 4.0 did not properly sanitise its ser
The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on
The JNews WordPress theme before 8.0.6 did not sanitise the cat_id parameter in the POST request /?a
The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however
The theplus_more_post AJAX action of The Plus Addons for Elementor Page Builder WordPress plugin bef
The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.10 did not validate a redirec
The Jannah WordPress theme before 5.4.4 did not properly sanitize the options JSON parameter in its
The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload
The WP Pro Real Estate 7 WordPress theme before 3.1.1 did not properly sanitise the ct_community par
The WP Foodbakery WordPress plugin before 2.2, used in the FoodBakery WordPress theme before 2.2 did
The wpForo Forum WordPress plugin before 1.9.7 did not validate the redirect_to parameter in the log
The Jannah WordPress theme before 5.4.5 did not properly sanitize the 'query' POST parameter in its
The Prismatic WordPress plugin before 2.8 does not escape the 'tab' GET parameter before outputting
The W3 Total Cache WordPress plugin before 2.1.4 was vulnerable to a reflected Cross-Site Scripting
The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, es
The W3 Total Cache WordPress plugin before 2.1.5 was affected by a reflected Cross-Site Scripting (X
The OnAir2 WordPress theme before 3.9.9.2 and QT KenthaRadio WordPress plugin before 2.0.2 have expo
The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 se
The Marmoset Viewer WordPress plugin before 1.9.3 does not property sanitize, validate or escape the
The Calendar Event Multi View WordPress plugin before 1.4.01 does not sanitise or escape the 'start'
The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workrea
The MF Gig Calendar WordPress plugin before 1.2 does not sanitise and escape the id GET parameter be
The Paytm – Donation Plugin WordPress plugin through 1.3.2 does not sanitise, validate or escape the
The G Auto-Hyperlink WordPress plugin through 1.0.1 does not sanitise or escape an 'id' GET paramete
The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invit
The Podlove Podcast Publisher WordPress plugin before 3.5.6 contains a 'Social & Donations' module (
The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invit
The Social Sharing Plugin WordPress plugin before 3.3.40 does not escape the viewed post URL before
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise
The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET pa
The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the 'orde
The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subsc
The AnyComment WordPress plugin before 0.3.5 has an API endpoint which passes user input via the red
The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, availab
The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_a
The eCommerce Product Catalog Plugin for WordPress plugin before 3.0.39 does not escape the ic-setti
The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input a
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the a
The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sa
The WPS Hide Login WordPress plugin before 1.9.1 has a bug which allows to get the secret login page
The Domain Check WordPress plugin before 1.0.17 does not sanitise and escape the domain parameter be
The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape
The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before output
The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape
The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time
The RVM WordPress plugin before 6.4.2 does not have proper authorisation, CSRF checks and validation
The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.8.7 does not sanitise
The All-in-One Video Gallery WordPress plugin before 2.5.0 does not sanitise and validate the tab pa
The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before output
The Social Share, Social Login and Social Comments Plugin WordPress plugin before 7.13.30 does not s
The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.10.5 does not escape the tab
The WP Guppy WordPress plugin before 1.3 does not have any authorisation in some of the REST API end
The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenti
The Code Snippets WordPress plugin before 2.14.3 does not escape the snippets-safe-mode parameter be
The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise
The Event Tickets WordPress plugin before 5.2.2 does not validate the tribe_tickets_redirect_to para
The WordPress Newsletter Plugin WordPress plugin before 1.6.5 does not validate the to parameter bef
The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to
The FeedWordPress plugin before 2022.0123 is affected by a Reflected Cross-Site Scripting (XSS) with
The Skins for Contact Form 7 WordPress plugin before 2.5.1 does not sanitise and escape the tab para
The Smash Balloon Social Post Feed WordPress plugin before 4.1.1 was affected by a reflected XSS in
The Landing Page Builder WordPress plugin before 1.4.9.6 was affected by a reflected XSS in page-bui
The WebP Converter for Media WordPress plugin before 4.0.3 contains a file (passthru.php) which does
The Duplicate Page or Post WordPress plugin before 1.5.1 does not have any authorisation and has a f
The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP a
The Contact Form Entries WordPress plugin before 1.2.4 does not sanitise and escape various paramete
The WOOF WordPress plugin before 1.2.6.3 does not sanitise and escape the woof_redraw_elements befor
The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before
The Ocean Extra WordPress plugin before 1.9.5 does not escape generated links which are then used wh
The English WordPress Admin WordPress plugin before 1.5.2 does not validate the admin_custom_languag
The WHMCS Bridge WordPress plugin before 6.4b does not sanitise and escape the error parameter befor
The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of i
The Yoast SEO WordPress plugin (from versions 16.7 until 17.2) discloses the full internal path of f
The Easy Social Feed Free and Pro WordPress plugins before 6.2.7 do not sanitise some of their param
A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php f
The Securimage-WP-Fixed WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the
The Skaut bazar WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $
Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plug
The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several A
The True Ranker plugin <= 2.2.2 for WordPress allows arbitrary files, including sensitive configurat
The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuratio
The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']
The Easy Social Icons plugin <= 3.0.8 for WordPress echoes out the raw value of `$_SERVER['PHP_SELF'
The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a
The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via
The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form
The Cookie Information | Free GDPR Consent Solution WordPress plugin before 2.0.8 does not escape us
The All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs WordPress plugin before 2
The WooCommerce Stored Exporter WordPress plugin before 2.7.1 was affected by a Reflected Cross-Site
The WP Accessibility Helper (WAH) WordPress plugin before 0.6.0.7 does not sanitise and escape the w
The Page Builder KingComposer WordPress plugin through 2.9.6 does not validate the id parameter befo
The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id
The WP RSS Aggregator WordPress plugin before 4.20 does not sanitise and escape the id parameter in
The Permalink Manager Lite WordPress plugin before 2.2.15 and Permalink Manager Pro WordPress plugin
The NewStatPress WordPress plugin before 1.3.6 does not properly escape the whatX parameters before
The MapPress Maps for WordPress plugin before 2.73.4 does not sanitise and escape the mapid paramete
The SpiderCalendar WordPress plugin through 1.5.65 does not sanitise and escape the callback paramet
The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated
The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, availab
The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby an
The WOOCS WordPress plugin before 1.3.7.5 does not sanitise and escape the woocs_in_order_currency p
The LearnPress WordPress plugin before 4.1.6 does not sanitise and escape the lp-dismiss-notice befo
The Ad Inserter WordPress plugin before 2.7.10, Ad Inserter Pro WordPress plugin before 2.7.10 do no
The XML Sitemap Generator for Google WordPress plugin before 2.0.4 does not validate a parameter whi
The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter bef
The Embed Swagger WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficie
The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress pl
The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_cu
The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisa
The Page View Count WordPress plugin before 2.4.15 does not sanitise and escape the post_ids paramet
The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when regist
The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cro
The E2Pdf WordPress plugin before 1.16.45 does not sanitise and escape some of its settings, which c
The FormCraft WordPress plugin before 3.8.28 does not validate the URL parameter in the formcraft3_g
The Professional Social Sharing Buttons, Icons & Related Posts WordPress plugin before 9.7.6 does no
The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be upload
The Mapping Multiple URLs Redirect Same Page WordPress plugin through 5.8 does not sanitize and esca
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and p
The Profile Builder – User Profile & User Registration Forms WordPress plugin is vulnerable to Cross
The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in i
The CommonsBooking WordPress plugin before 2.6.8 does not sanitise and escape the location parameter
The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path pa
The Master Elements WordPress plugin through 8.0 does not validate and escape the meta_ids parameter
The Infographic Maker WordPress plugin before 4.3.8 does not validate and escape the post_id paramet
The Simple Link Directory WordPress plugin before 7.7.2 does not validate and escape the post_id par
The Users Ultra WordPress plugin through 3.1.0 fails to properly sanitize and escape the data_target
The Documentor WordPress plugin through 1.5.3 fails to sanitize and escape user input before it is b
The Nirweb support WordPress plugin before 2.8.2 does not sanitise and escape a parameter before usi
The Title Experiments Free WordPress plugin before 9.0.1 does not sanitise and escape the id paramet
The Daily Prayer Time WordPress plugin before 2022.03.01 does not sanitise and escape the month para
The KiviCare WordPress plugin before 2.3.9 does not sanitise and escape some parameters before using
The Limit Login Attempts (Spam Protection) WordPress plugin before 5.1 does not sanitise and escape
The WP Fundraising Donation and Crowdfunding Platform WordPress plugin before 1.5.0 does not sanitis
The Ubigeo de Perú para Woocommerce WordPress plugin before 3.6.4 does not properly sanitise and esc
The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it
The WP Video Gallery WordPress plugin through 1.7.1 does not sanitise and escape a parameter before
The Bestbooks WordPress plugin through 2.6.3 does not sanitise and escape some parameters before usi
The SpeakOut! Email Petitions WordPress plugin before 2.14.15.1 does not sanitise and escape the id
The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.22.9 does not sanitise and escape
The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied
The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the
The Header Footer Code Manager WordPress plugin before 1.1.24 does not escape generated URLs before
The Order Listener for WooCommerce WordPress plugin before 3.2.2 does not sanitise and escape the id
The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin
The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks whe
The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the room pa
The Personal Dictionary WordPress plugin before 1.3.4 fails to properly sanitize user supplied POST
The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have auth
The RSVP and Event Management Plugin WordPress plugin before 2.7.8 does not have any authorisation c
The Pricing Deals for WooCommerce WordPress plugin through 2.0.2.02 does not properly sanitise and e
The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parame
There is a Cross-Site Scripting vulnerability in the JobSearch WP JobSearch WordPress plugin before
In the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the
The Gwyn's Imagemap Selector WordPress plugin through 0.3.3 does not sanitise and escape some parame
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of severa
The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a param
The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given
The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter bef
The Videos sync PDF WordPress plugin through 1.7.4 does not validate the p parameter before using it
The External Media without Import WordPress plugin through 1.1.2 does not have any authorisation and
The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper acces
The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importin
The HC Custom WP-Admin URL WordPress plugin through 1.4 leaks the secret login URL when sending a sp
The WPQA Builder WordPress plugin before 5.4, used as a companion for the Discy and Himer , does not
The WPQA Builder WordPress plugin before 5.5 which is a companion to the Discy and Himer , lacks aut
The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's
The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters
The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'
The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to insufficien
The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator
The Pricing Tables WordPress Plugin WordPress plugin before 3.2.1 does not sanitise and escape param
The Copyright Proof WordPress plugin through 4.16 does not sanitise and escape a parameter before ou
The Shortcodes and extra features for Phlox WordPress plugin before 2.9.8 does not sanitise and esca
The Active Products Tables for WooCommerce. Professional products tables for WooCommerce store WordP
The CDI WordPress plugin before 5.1.9 does not sanitise and escape a parameter before outputting it
The Awin Data Feed WordPress plugin before 1.8 does not sanitise and escape a parameter before outpu
The Gallery WordPress plugin before 2.0.0 does not sanitise and escape a parameter before outputting
The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers
The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST
WordPress is a free and open-source content management system written in PHP and paired with a Maria
The Contact Form 7 Captcha WordPress plugin before 0.1.2 does not escape the $_SERVER['REQUEST_URI']
The Unyson WordPress plugin before 2.7.27 does not sanitise and escape a parameter before outputting
The VR Calendar WordPress plugin through 2.3.2 lets any user execute arbitrary PHP functions on the
The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST
The Directorist WordPress plugin before 7.3.1 discloses the email address of all users in an AJAX ac
The Easy Student Results WordPress plugin through 2.2.8 lacks authorisation in its REST API, allowin
The Feed Them Social WordPress plugin before 3.0.1 does not sanitise and escape a parameter before o
The Transposh WordPress Translation plugin for WordPress is vulnerable to sensitive information disc
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and p
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and p
The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live
The Ninja Job Board WordPress plugin before 1.3.3 does not protect the directory where it stores upl
The All-in-One WP Migration WordPress plugin before 7.63 uses the wrong content type, and does not p
The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated vi
The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.21.83 does not sanitise
The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in a
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file downloads and blin
Sensitive Information Disclosure (sac-export.csv) in Simple Ajax Chat (WordPress plugin) <= 20220115
Reflective Cross-Site Scripting vulnerability in WordPress Country Selector Plugin Version 1.6.5. Th
The Migration, Backup, Staging WordPress plugin before 0.9.76 does not sanitise and validate a param
The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting the
The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before
Unauthenticated Arbitrary File Read vulnerability in MultiSafepay plugin for WooCommerce plugin <= 4
Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities in Osamaesh WP Visitor Statistics plug
The WPB Show Core WordPress plugin does not sanitize and escape a parameter before outputting it bac
The ProfileGrid WordPress plugin before 5.1.1 does not sanitise and escape a parameter before output
The WPSmartContracts WordPress plugin before 1.3.12 does not properly sanitise and escape a paramete
Reflected Cross-Site Scripting (XSS) vulnerability in CRM Perks Forms – WordPress Form Builder <= 1.
The Helloprint WordPress plugin before 1.4.7 does not sanitise and escape a parameter before outputt
The Essential Real Estate WordPress plugin before 3.9.6 does not sanitize and escapes some parameter
The FlatPM WordPress plugin before 3.0.13 does not sanitise and escape some parameters before output
The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate upl
The WP User WordPress plugin through 7.0 does not properly sanitize and escape a parameter before us
The JoomSport WordPress plugin before 5.2.8 does not properly sanitise and escape a parameter before
The Autoptimize WordPress plugin before 3.1.0 uses an easily guessable path to store plugin's export
The Cryptocurrency Widgets Pack WordPress plugin before 2.0 does not sanitise and escape some parame
The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be ca
The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when ren
The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL s
The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to
Unauth. Directory Traversal vulnerability in Welcart eCommerce plugin <= 2.7.7 on WordPress.
The WP-Ban WordPress plugin before 1.69.1 does not sanitise and escape some of its settings, which c
The Show All Comments WordPress plugin before 7.0.1 does not sanitise and escape a parameter before
The Sunshine Photo Cart WordPress plugin before 2.9.15 does not sanitise and escape a parameter befo
The Login as User or Customer WordPress plugin before 3.3 lacks authorization checks to ensure that
The Panda Pods Repeater Field WordPress plugin before 1.5.4 does not sanitize and escapes a paramete
The WordPress Events Calendar WordPress plugin before 1.4.5 does not sanitize and escapes a paramete
The PDF Generator for WordPress plugin before 1.1.2 includes a vendored dompdf example file which is
The Post Status Notifier Lite WordPress plugin before 1.10.1 does not sanitise and escape a paramete
The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be up
The Fontsy WordPress plugin through 1.8.6 does not properly sanitize and escape a parameter before u
Local File Inclusion vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.
The BackupBuddy WordPress plugin before 8.8.3 does not sanitise and escape some parameters before ou
The Simple URLs WordPress plugin before 115 does not sanitise and escape some parameters before outp
The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not limit what log files to displa
The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not escape the content of log file
The Extensive VC Addons for WPBakery page builder WordPress plugin before 1.9.1 does not validate a
The Tutor LMS WordPress plugin before 2.0.10 does not sanitise and escape the reset_key and user_id
The WP TripAdvisor Review Slider WordPress plugin before 10.8 does not properly sanitise and escape
The ShortPixel Adaptive Images WordPress plugin before 3.6.3 does not sanitise and escape a paramete
The WP Helper Lite WordPress plugin, in versions < 4.3, returns all GET parameters unsanitized in th
The Membership Database WordPress plugin through 1.0 does not sanitise and escape a parameter before
The Registration Forms WordPress plugin before 3.8.2.3 does not properly validate the redirection UR
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 6.9 does not escape user input
The Twittee Text Tweet WordPress plugin through 1.0.8 does not properly escape POST values which are
The Slimstat Analytics WordPress plugin before 4.9.3.3 does not prevent subscribers from rendering s
The Pricing Table Builder WordPress plugin through 1.1.6 does not properly sanitise and escape a par
The Japanized For WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting v
The Japanized For WooCommerce WordPress plugin before 2.5.8 does not escape generated URLs before ou
The Watu Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘dn’, 'em
The Steveas WP Live Chat Shoutbox WordPress plugin through 1.4.2 does not sanitise and escape a para
The GN Publisher plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tab’
A vulnerability was found in Drag and Drop Multiple File Upload Contact Form 7 5.0.6.1 on WordPress.
The CMP – Coming Soon & Maintenance plugin for WordPress is vulnerable to Information Exposure in ve
The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized data loss
The Video List Manager WordPress plugin through 1.7 does not properly sanitise and escape a paramete
The FluentCRM - Marketing Automation For WordPress plugin for WordPress is vulnerable to unauthoriz
The MyCryptoCheckout WordPress plugin before 2.124 does not escape some URLs before outputting them
The SupportCandy WordPress plugin before 3.1.5 does not validate and escape user input before using
The Companion Sitemap Generator WordPress plugin before 4.5.3 does not sanitise and escape some para
The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input befo
The Tablesome WordPress plugin before 1.0.9 does not escape various generated URLs, before outputtin
Plugin does not sanitize and escape the URL field in the Pretty Url WordPress plugin through 1.5.4 s
The Custom 404 Pro WordPress plugin before 3.7.3 does not escape some URLs before outputting them in
The NEX-Forms WordPress plugin before 8.4 does not properly escape the `table` parameter, which is p
The Image Optimizer by 10web WordPress plugin before 1.0.27 does not sanitise and escape the iowd_ta
The WP Inventory Manager WordPress plugin before 2.1.0.13 does not sanitise and escape a parameter b
The Aajoda Testimonials WordPress plugin before 2.2.2 does not sanitise and escape some of its setti
The SEO by 10Web WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, wh
The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forge
The Directorist WordPress plugin before 7.5.4 is vulnerable to Local File Inclusion as it does not v
The Tiempo.com WordPress plugin through 0.1.2 does not sanitise and escape the page parameter before
The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL in
The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthent
The Quick Event Manager WordPress Plugin, version < 9.7.5, is affected by a reflected cross-site scr
The Login with Phone Number WordPress Plugin, version < 1.4.2, is affected by an authenticated SQL i
The UserPro plugin for WordPress is vulnerable to authentication bypass in versions up to, and inclu
The InventoryPress WordPress plugin through 1.7 does not sanitise and escape some of its settings, w
The AN_GradeBook WordPress plugin through 5.0.1 does not properly sanitise and escape a parameter be
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and in
The ERP WordPress plugin before 1.12.4 does not properly sanitise and escape the `type` parameter in
The Social Share, Social Login and Social Comments WordPress plugin before 7.13.52 does not sanitise
The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_
An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthent
All of the above Aapna WordPress theme through 1.3, Anand WordPress theme through 1.2, Anfaust WordP
The ReviewX plugin for WordPress is vulnerable to privilege escalation in versions up to, and includ
The Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an un
The Woo Bulk Price Update WordPress plugin, in versions < 2.2.2, is affected by a reflected cross-si
The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validat
The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versio
The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is
The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass
The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts w
The Elementor Pro plugin for WordPress is vulnerable to unauthorized data modification due to a miss
The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its event
The Comments Like Dislike plugin for WordPress is vulnerable to unauthorized modification of data du
The LMS by Masteriyo WordPress plugin before 1.6.8 does not properly safeguards sensitive user infor
The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and includi
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accou
The Blog2Social WordPress plugin before 7.2.1 does not sanitise and escape a parameter before output
The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated
The MasterStudy LMS WordPress Plugin WordPress plugin before 3.0.18 does not have proper checks in p
This User Activity Log WordPress plugin before 1.6.7 retrieves client IP addresses from potentially
This Activity Log WordPress plugin before 2.8.8 retrieves client IP addresses from potentially untru
The URL Shortify WordPress plugin before 1.7.6 does not properly escape the value of the referer hea
The Uploading SVG, WEBP and ICO files WordPress plugin through 1.2.1 does not sanitise uploaded SVG
The DoLogin Security WordPress plugin before 3.7 does not properly sanitize IP addresses coming from
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validat
The DoLogin Security WordPress plugin before 3.7 uses headers such as the X-Forwarded-For to retriev
The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Co
The WordPress File Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting
The DoLogin Security WordPress plugin before 3.7.1 does not restrict the access of a widget that sho
The Social Media Share Buttons & Social Sharing Icons plugin for WordPress is vulnerable to Sensitiv
The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via
The ChatBot plugin for WordPress is vulnerable to SQL Injection via the $strid parameter in versions
The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate u
The Image horizontal reel scroll slideshow plugin for WordPress is vulnerable to SQL Injection via t
The MpOperationLogs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the IP Req
WordPress does not properly restrict which user fields are searchable via the REST API, allowing una
The Web3 WordPress plugin before 3.0.0 is vulnerable to an authentication bypass due to incorrect au
The WP Fastest Cache WordPress plugin before 1.2.2 does not properly sanitise and escape a parameter
The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does
The Swift Performance Lite WordPress plugin before 2.3.6.15 does not prevent users from exporting th
The 'My Calendar' WordPress Plugin, version < 3.4.22 is affected by an unauthenticated SQL injection
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up
The LearnPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order_by’ par
The Essential Blocks WordPress plugin before 4.4.3 does not prevent unauthenticated attackers from o
The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and in
The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary
The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress pl
The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions
The 10Web AI Assistant – AI content writing assistant plugin for WordPress is vulnerable to unauthor
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authori
The Travelpayouts: All Travel Brands in One Place WordPress plugin through 1.1.15 is vulnerable to O
The ColorMag theme for WordPress is vulnerable to unauthorized access due to a missing capability ch
The Popup More Popups, Lightboxes, and more popup modules plugin for WordPress is vulnerable to Loca
The 'HTML5 Video Player' WordPress Plugin, version < 2.5.25 is affected by an unauthenticated SQL in
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Mem
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versio
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versio
The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versio
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vuln
The NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With
The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup acti
The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value' a