401 docs tagged with "WordPress_CMS"

A blind SQL injection vulnerability is present in Chop Slider 3, a WordPress plugin. The vulnerabili

The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) all

The GTranslate plugin before 2.8.52 for WordPress has Reflected XSS via a crafted link. This require

The Catch Breadcrumb plugin before 1.5.4 for WordPress allows Reflected XSS via the s parameter (a s

The drag-and-drop-multiple-file-upload-contact-form-7 plugin before 1.3.3.3 for WordPress allows Unr

An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an inse

The CodePeople Payment Form for PayPal Pro plugin before 1.1.65 for WordPress allows SQL Injection.

search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.

Server-side request forgery (SSRF) in the Import XML and RSS Feeds (import-xml-feed) plugin 2.0.1 fo

A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for W

The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload

A cross-site scripting (XSS) vulnerability in wp-content/plugins/event-espresso-core-reg/admin_pages

The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended pa

An unauthenticated SQL Injection vulnerability in Good Layers LMS Plugin <= 2.1.4 exists due to the

The Canto plugin 1.3.0 for WordPress contains a blind SSRF vulnerability. It allows an unauthenticat

The EventON plugin through 3.0.5 for WordPress allows addons/?q= XSS via the search field.

The easy-wp-smtp plugin before 1.4.4 for WordPress allows Administrator account takeover, as exploit

The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPress allows Unrestricted File U

Directory traversal vulnerability in class-simple_job_board_resume_download_handler.php in the Simpl

An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. It allows u

The 15Zine WordPress theme before 3.3.0 does not sanitise and escape the cbi parameter before output

The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS via Display_FAQ to Shortcodes/Display

A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker ap

The Time Capsule plugin before 1.21.16 for WordPress has an authentication bypass. Any request conta

The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing authorization check in iwp_m

The wpCentral plugin before 1.5.1 for WordPress allows disclosure of the connection key.

BuddyPress is an open source WordPress plugin to build a community site. In releases of BuddyPress f

Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, d

Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.

The LikeBtn WordPress Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.32 was vulnerable to

The WordPress Backup and Migrate Plugin – Backup Guard WordPress plugin before 1.6.0 did not ensure

In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX ac

This Advanced Order Export For WooCommerce WordPress plugin before 3.1.8 helps you to easily export

The JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, w

There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to

The OpenID Connect Generic Client WordPress plugin 3.8.0 and 3.8.1 did not sanitise the login error

An Improper Access Control vulnerability was discovered in the Controlled Admin Access WordPress plu

In the AccessAlly WordPress plugin before 3.5.7, the file 'resource/frontend/product/product-shortco

The Jetpack Scan team identified a Local File Disclosure vulnerability in the Patreon WordPress plug

The Goto WordPress theme before 2.0 does not sanitise the keywords and start_date GET parameter on i

The Imagements WordPress plugin through 1.2.5 allows images to be uploaded in comments, however only

The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not properly sanitise the k

The Pie Register – User Registration Forms. Invitation based registrations, Custom Login, Payments W

The Stop Spammers WordPress plugin before 2021.9 did not escape user input when blocking requests (s

The Ultimate Maps by Supsystic WordPress plugin before 1.2.5 did not sanitise the tab parameter of i

The Popup by Supsystic WordPress plugin before 1.10.5 did not sanitise the tab parameter of its opti

The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of i

In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use t

The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file up

The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin thro

The settings page of the Redirect 404 to parent WordPress plugin before 1.3.1 did not properly sanit

The settings page of the Select All Categories and Taxonomies, Change Checkbox to Radio Buttons Word

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.69 was vulner

The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin

The search feature of the Mediumish WordPress theme through 1.0.47 does not properly sanitise it's '

The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise and escape it

The Car Repair Services & Auto Mechanic WordPress theme before 4.0 did not properly sanitise its ser

The WP Statistics WordPress plugin before 13.0.8 relied on using the WordPress esc_sql() function on

The JNews WordPress theme before 8.0.6 did not sanitise the cat_id parameter in the POST request /?a

The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however

The theplus_more_post AJAX action of The Plus Addons for Elementor Page Builder WordPress plugin bef

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.10 did not validate a redirec

The Jannah WordPress theme before 5.4.4 did not properly sanitize the options JSON parameter in its

The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload

The WP Pro Real Estate 7 WordPress theme before 3.1.1 did not properly sanitise the ct_community par

The WP Foodbakery WordPress plugin before 2.2, used in the FoodBakery WordPress theme before 2.2 did

The wpForo Forum WordPress plugin before 1.9.7 did not validate the redirect_to parameter in the log

The Jannah WordPress theme before 5.4.5 did not properly sanitize the 'query' POST parameter in its

The Prismatic WordPress plugin before 2.8 does not escape the 'tab' GET parameter before outputting

The W3 Total Cache WordPress plugin before 2.1.4 was vulnerable to a reflected Cross-Site Scripting

The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, es

The W3 Total Cache WordPress plugin before 2.1.5 was affected by a reflected Cross-Site Scripting (X

The OnAir2 WordPress theme before 3.9.9.2 and QT KenthaRadio WordPress plugin before 2.0.2 have expo

The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 se

The Marmoset Viewer WordPress plugin before 1.9.3 does not property sanitize, validate or escape the

The Calendar Event Multi View WordPress plugin before 1.4.01 does not sanitise or escape the 'start'

The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workrea

The MF Gig Calendar WordPress plugin before 1.2 does not sanitise and escape the id GET parameter be

The Paytm – Donation Plugin WordPress plugin through 1.3.2 does not sanitise, validate or escape the

The G Auto-Hyperlink WordPress plugin through 1.0.1 does not sanitise or escape an 'id' GET paramete

The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invit

The Podlove Podcast Publisher WordPress plugin before 3.5.6 contains a 'Social & Donations' module (

The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invit

The Social Sharing Plugin WordPress plugin before 3.3.40 does not escape the viewed post URL before

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise

The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET pa

The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the 'orde

The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subsc

The AnyComment WordPress plugin before 0.3.5 has an API endpoint which passes user input via the red

The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, availab

The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_a

The eCommerce Product Catalog Plugin for WordPress plugin before 3.0.39 does not escape the ic-setti

The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input a

The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the a

The Contest Gallery WordPress plugin before 13.1.0.6 does not have capability checks and does not sa

The WPS Hide Login WordPress plugin before 1.9.1 has a bug which allows to get the secret login page

The Domain Check WordPress plugin before 1.0.17 does not sanitise and escape the domain parameter be

The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape

The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before output

The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape

The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time

The RVM WordPress plugin before 6.4.2 does not have proper authorisation, CSRF checks and validation

The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.8.7 does not sanitise

The All-in-One Video Gallery WordPress plugin before 2.5.0 does not sanitise and validate the tab pa

The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before output

The Social Share, Social Login and Social Comments Plugin WordPress plugin before 7.13.30 does not s

The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.10.5 does not escape the tab

The WP Guppy WordPress plugin before 1.3 does not have any authorisation in some of the REST API end

The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenti

The Code Snippets WordPress plugin before 2.14.3 does not escape the snippets-safe-mode parameter be

The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise

The Event Tickets WordPress plugin before 5.2.2 does not validate the tribe_tickets_redirect_to para

The WordPress Newsletter Plugin WordPress plugin before 1.6.5 does not validate the to parameter bef

The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to

The FeedWordPress plugin before 2022.0123 is affected by a Reflected Cross-Site Scripting (XSS) with

The Skins for Contact Form 7 WordPress plugin before 2.5.1 does not sanitise and escape the tab para

The Smash Balloon Social Post Feed WordPress plugin before 4.1.1 was affected by a reflected XSS in

The Landing Page Builder WordPress plugin before 1.4.9.6 was affected by a reflected XSS in page-bui

The WebP Converter for Media WordPress plugin before 4.0.3 contains a file (passthru.php) which does

The Duplicate Page or Post WordPress plugin before 1.5.1 does not have any authorisation and has a f

The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP a

The Contact Form Entries WordPress plugin before 1.2.4 does not sanitise and escape various paramete

The WOOF WordPress plugin before 1.2.6.3 does not sanitise and escape the woof_redraw_elements befor

The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before

The Ocean Extra WordPress plugin before 1.9.5 does not escape generated links which are then used wh

The English WordPress Admin WordPress plugin before 1.5.2 does not validate the admin_custom_languag

The WHMCS Bridge WordPress plugin before 6.4b does not sanitise and escape the error parameter befor

The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of i

The Yoast SEO WordPress plugin (from versions 16.7 until 17.2) discloses the full internal path of f

The Easy Social Feed Free and Pro WordPress plugins before 6.2.7 do not sanitise some of their param

A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php f

The Securimage-WP-Fixed WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the

The Skaut bazar WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $

Authenticated Persistent Cross-Site Scripting (XSS) vulnerability in WordPress iQ Block Country plug

The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several A

The True Ranker plugin <= 2.2.2 for WordPress allows arbitrary files, including sensitive configurat

The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuratio

The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of `$GLOBALS['PHP_SELF']

The Easy Social Icons plugin <= 3.0.8 for WordPress echoes out the raw value of `$_SERVER['PHP_SELF'

The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a

The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via

The Visual Form Builder WordPress plugin before 3.0.6 does not perform access control on entry form

The Cookie Information | Free GDPR Consent Solution WordPress plugin before 2.0.8 does not escape us

The All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs WordPress plugin before 2

The WooCommerce Stored Exporter WordPress plugin before 2.7.1 was affected by a Reflected Cross-Site

The WP Accessibility Helper (WAH) WordPress plugin before 0.6.0.7 does not sanitise and escape the w

The Page Builder KingComposer WordPress plugin through 2.9.6 does not validate the id parameter befo

The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id

The WP RSS Aggregator WordPress plugin before 4.20 does not sanitise and escape the id parameter in

The Permalink Manager Lite WordPress plugin before 2.2.15 and Permalink Manager Pro WordPress plugin

The NewStatPress WordPress plugin before 1.3.6 does not properly escape the whatX parameters before

The MapPress Maps for WordPress plugin before 2.73.4 does not sanitise and escape the mapid paramete

The SpiderCalendar WordPress plugin through 1.5.65 does not sanitise and escape the callback paramet

The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated

The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, availab

The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby an

The WOOCS WordPress plugin before 1.3.7.5 does not sanitise and escape the woocs_in_order_currency p

The LearnPress WordPress plugin before 4.1.6 does not sanitise and escape the lp-dismiss-notice befo

The Ad Inserter WordPress plugin before 2.7.10, Ad Inserter Pro WordPress plugin before 2.7.10 do no

The XML Sitemap Generator for Google WordPress plugin before 2.0.4 does not validate a parameter whi

The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter bef

The Embed Swagger WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficie

The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress pl

The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_cu

The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisa

The Page View Count WordPress plugin before 2.4.15 does not sanitise and escape the post_ids paramet

The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when regist

The Ditty (formerly Ditty News Ticker) WordPress plugin before 3.0.15 is affected by a Reflected Cro

The E2Pdf WordPress plugin before 1.16.45 does not sanitise and escape some of its settings, which c

The FormCraft WordPress plugin before 3.8.28 does not validate the URL parameter in the formcraft3_g

The Professional Social Sharing Buttons, Icons & Related Posts WordPress plugin before 9.7.6 does no

The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.3 allows SVG files to be upload

The Mapping Multiple URLs Redirect Same Page WordPress plugin through 5.8 does not sanitize and esca

The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and p

The Profile Builder – User Profile & User Registration Forms WordPress plugin is vulnerable to Cross

The Web To Print Shop : uDraw WordPress plugin before 3.3.3 does not validate the url parameter in i

The CommonsBooking WordPress plugin before 2.6.8 does not sanitise and escape the location parameter

The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path pa

The Master Elements WordPress plugin through 8.0 does not validate and escape the meta_ids parameter

The Infographic Maker WordPress plugin before 4.3.8 does not validate and escape the post_id paramet

The Simple Link Directory WordPress plugin before 7.7.2 does not validate and escape the post_id par

The Users Ultra WordPress plugin through 3.1.0 fails to properly sanitize and escape the data_target

The Documentor WordPress plugin through 1.5.3 fails to sanitize and escape user input before it is b

The Nirweb support WordPress plugin before 2.8.2 does not sanitise and escape a parameter before usi

The Title Experiments Free WordPress plugin before 9.0.1 does not sanitise and escape the id paramet

The Daily Prayer Time WordPress plugin before 2022.03.01 does not sanitise and escape the month para

The KiviCare WordPress plugin before 2.3.9 does not sanitise and escape some parameters before using

The Limit Login Attempts (Spam Protection) WordPress plugin before 5.1 does not sanitise and escape

The WP Fundraising Donation and Crowdfunding Platform WordPress plugin before 1.5.0 does not sanitis

The Ubigeo de Perú para Woocommerce WordPress plugin before 3.6.4 does not properly sanitise and esc

The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it

The WP Video Gallery WordPress plugin through 1.7.1 does not sanitise and escape a parameter before

The Bestbooks WordPress plugin through 2.6.3 does not sanitise and escape some parameters before usi

The SpeakOut! Email Petitions WordPress plugin before 2.14.15.1 does not sanitise and escape the id

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.22.9 does not sanitise and escape

The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied

The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the

The Header Footer Code Manager WordPress plugin before 1.1.24 does not escape generated URLs before

The Order Listener for WooCommerce WordPress plugin before 3.2.2 does not sanitise and escape the id

The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin

The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks whe

The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the room pa

The Personal Dictionary WordPress plugin before 1.3.4 fails to properly sanitize user supplied POST

The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have auth

The RSVP and Event Management Plugin WordPress plugin before 2.7.8 does not have any authorisation c

The Pricing Deals for WooCommerce WordPress plugin through 2.0.2.02 does not properly sanitise and e

The Simple File List WordPress plugin is vulnerable to Arbitrary File Download via the eeFile parame

There is a Cross-Site Scripting vulnerability in the JobSearch WP JobSearch WordPress plugin before

In the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the

The Gwyn's Imagemap Selector WordPress plugin through 0.3.3 does not sanitise and escape some parame

The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of severa

The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a param

The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given

The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter bef

The Videos sync PDF WordPress plugin through 1.7.4 does not validate the p parameter before using it

The External Media without Import WordPress plugin through 1.1.2 does not have any authorisation and

The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper acces

The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importin

The HC Custom WP-Admin URL WordPress plugin through 1.4 leaks the secret login URL when sending a sp

The WPQA Builder WordPress plugin before 5.4, used as a companion for the Discy and Himer , does not

The WPQA Builder WordPress plugin before 5.5 which is a companion to the Discy and Himer , lacks aut

The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's

The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters

The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'

The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to insufficien

The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator

The Pricing Tables WordPress Plugin WordPress plugin before 3.2.1 does not sanitise and escape param

The Copyright Proof WordPress plugin through 4.16 does not sanitise and escape a parameter before ou

The Shortcodes and extra features for Phlox WordPress plugin before 2.9.8 does not sanitise and esca

The Active Products Tables for WooCommerce. Professional products tables for WooCommerce store WordP

The CDI WordPress plugin before 5.1.9 does not sanitise and escape a parameter before outputting it

The Awin Data Feed WordPress plugin before 1.8 does not sanitise and escape a parameter before outpu

The Gallery WordPress plugin before 2.0.0 does not sanitise and escape a parameter before outputting

The Free Booking Plugin for Hotels, Restaurant and Car Rental WordPress plugin before 1.1.16 suffers

The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST

WordPress is a free and open-source content management system written in PHP and paired with a Maria

The Contact Form 7 Captcha WordPress plugin before 0.1.2 does not escape the $_SERVER['REQUEST_URI']

The Unyson WordPress plugin before 2.7.27 does not sanitise and escape a parameter before outputting

The VR Calendar WordPress plugin through 2.3.2 lets any user execute arbitrary PHP functions on the

The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST

The Directorist WordPress plugin before 7.3.1 discloses the email address of all users in an AJAX ac

The Easy Student Results WordPress plugin through 2.2.8 lacks authorisation in its REST API, allowin

The Feed Them Social WordPress plugin before 3.0.1 does not sanitise and escape a parameter before o

The Transposh WordPress Translation plugin for WordPress is vulnerable to sensitive information disc

The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and p

The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and p

The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live

The Ninja Job Board WordPress plugin before 1.3.3 does not protect the directory where it stores upl

The All-in-One WP Migration WordPress plugin before 7.63 uses the wrong content type, and does not p

The Duplicator WordPress plugin before 1.4.7 discloses the url of the a backup to unauthenticated vi

The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.21.83 does not sanitise

The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in a

The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file downloads and blin

Sensitive Information Disclosure (sac-export.csv) in Simple Ajax Chat (WordPress plugin) <= 20220115

Reflective Cross-Site Scripting vulnerability in WordPress Country Selector Plugin Version 1.6.5. Th

The Migration, Backup, Staging WordPress plugin before 0.9.76 does not sanitise and validate a param

The Simple File List WordPress plugin before 4.4.12 does not escape parameters before outputting the

The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before

Unauthenticated Arbitrary File Read vulnerability in MultiSafepay plugin for WooCommerce plugin <= 4

Multiple Unauthenticated SQL Injection (SQLi) vulnerabilities in Osamaesh WP Visitor Statistics plug

The WPB Show Core WordPress plugin does not sanitize and escape a parameter before outputting it bac

The ProfileGrid WordPress plugin before 5.1.1 does not sanitise and escape a parameter before output

The WPSmartContracts WordPress plugin before 1.3.12 does not properly sanitise and escape a paramete

Reflected Cross-Site Scripting (XSS) vulnerability in CRM Perks Forms – WordPress Form Builder <= 1.

The Helloprint WordPress plugin before 1.4.7 does not sanitise and escape a parameter before outputt

The Essential Real Estate WordPress plugin before 3.9.6 does not sanitize and escapes some parameter

The FlatPM WordPress plugin before 3.0.13 does not sanitise and escape some parameters before output

The Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate upl

The WP User WordPress plugin through 7.0 does not properly sanitize and escape a parameter before us

The JoomSport WordPress plugin before 5.2.8 does not properly sanitise and escape a parameter before

The Autoptimize WordPress plugin before 3.1.0 uses an easily guessable path to store plugin's export

The Cryptocurrency Widgets Pack WordPress plugin before 2.0 does not sanitise and escape some parame

The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be ca

The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when ren

The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL s

The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to

Unauth. Directory Traversal vulnerability in Welcart eCommerce plugin <= 2.7.7 on WordPress.

The WP-Ban WordPress plugin before 1.69.1 does not sanitise and escape some of its settings, which c

The Show All Comments WordPress plugin before 7.0.1 does not sanitise and escape a parameter before

The Sunshine Photo Cart WordPress plugin before 2.9.15 does not sanitise and escape a parameter befo

The Login as User or Customer WordPress plugin before 3.3 lacks authorization checks to ensure that

The Panda Pods Repeater Field WordPress plugin before 1.5.4 does not sanitize and escapes a paramete

The WordPress Events Calendar WordPress plugin before 1.4.5 does not sanitize and escapes a paramete

The PDF Generator for WordPress plugin before 1.1.2 includes a vendored dompdf example file which is

The Post Status Notifier Lite WordPress plugin before 1.10.1 does not sanitise and escape a paramete

The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be up

The Fontsy WordPress plugin through 1.8.6 does not properly sanitize and escape a parameter before u

Local File Inclusion vulnerability in LearnPress – WordPress LMS Plugin <= 4.1.7.3.2 versions.

The BackupBuddy WordPress plugin before 8.8.3 does not sanitise and escape some parameters before ou

The Simple URLs WordPress plugin before 115 does not sanitise and escape some parameters before outp

The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not limit what log files to displa

The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not escape the content of log file

The Extensive VC Addons for WPBakery page builder WordPress plugin before 1.9.1 does not validate a

The Tutor LMS WordPress plugin before 2.0.10 does not sanitise and escape the reset_key and user_id

The WP TripAdvisor Review Slider WordPress plugin before 10.8 does not properly sanitise and escape

The ShortPixel Adaptive Images WordPress plugin before 3.6.3 does not sanitise and escape a paramete

The WP Helper Lite WordPress plugin, in versions < 4.3, returns all GET parameters unsanitized in th

The Membership Database WordPress plugin through 1.0 does not sanitise and escape a parameter before

The Registration Forms WordPress plugin before 3.8.2.3 does not properly validate the redirection UR

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 6.9 does not escape user input

The Twittee Text Tweet WordPress plugin through 1.0.8 does not properly escape POST values which are

The Slimstat Analytics WordPress plugin before 4.9.3.3 does not prevent subscribers from rendering s

The Pricing Table Builder WordPress plugin through 1.1.6 does not properly sanitise and escape a par

The Japanized For WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting v

The Japanized For WooCommerce WordPress plugin before 2.5.8 does not escape generated URLs before ou

The Watu Quiz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘dn’, 'em

The Steveas WP Live Chat Shoutbox WordPress plugin through 1.4.2 does not sanitise and escape a para

The GN Publisher plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tab’

A vulnerability was found in Drag and Drop Multiple File Upload Contact Form 7 5.0.6.1 on WordPress.

The CMP – Coming Soon & Maintenance plugin for WordPress is vulnerable to Information Exposure in ve

The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized data loss

The Video List Manager WordPress plugin through 1.7 does not properly sanitise and escape a paramete

The FluentCRM - Marketing Automation For WordPress plugin for WordPress is vulnerable to unauthoriz

The MyCryptoCheckout WordPress plugin before 2.124 does not escape some URLs before outputting them

The SupportCandy WordPress plugin before 3.1.5 does not validate and escape user input before using

The Companion Sitemap Generator WordPress plugin before 4.5.3 does not sanitise and escape some para

The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input befo

The Tablesome WordPress plugin before 1.0.9 does not escape various generated URLs, before outputtin

Plugin does not sanitize and escape the URL field in the Pretty Url WordPress plugin through 1.5.4 s

The Custom 404 Pro WordPress plugin before 3.7.3 does not escape some URLs before outputting them in

The NEX-Forms WordPress plugin before 8.4 does not properly escape the `table` parameter, which is p

The Image Optimizer by 10web WordPress plugin before 1.0.27 does not sanitise and escape the iowd_ta

The WP Inventory Manager WordPress plugin before 2.1.0.13 does not sanitise and escape a parameter b

The Aajoda Testimonials WordPress plugin before 2.2.2 does not sanitise and escape some of its setti

The SEO by 10Web WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, wh

The wpForo Forum plugin for WordPress is vulnerable to Local File Include, Server-Side Request Forge

The Directorist WordPress plugin before 7.5.4 is vulnerable to Local File Inclusion as it does not v

The Tiempo.com WordPress plugin through 0.1.2 does not sanitise and escape the page parameter before

The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL in

The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthent

The Quick Event Manager WordPress Plugin, version < 9.7.5, is affected by a reflected cross-site scr

The Login with Phone Number WordPress Plugin, version < 1.4.2, is affected by an authenticated SQL i

The UserPro plugin for WordPress is vulnerable to authentication bypass in versions up to, and inclu

The InventoryPress WordPress plugin through 1.7 does not sanitise and escape some of its settings, w

The AN_GradeBook WordPress plugin through 5.0.1 does not properly sanitise and escape a parameter be

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and in

The ERP WordPress plugin before 1.12.4 does not properly sanitise and escape the `type` parameter in

The Social Share, Social Login and Social Comments WordPress plugin before 7.13.52 does not sanitise

The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_

An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthent

All of the above Aapna WordPress theme through 1.3, Anand WordPress theme through 1.2, Anfaust WordP

The ReviewX plugin for WordPress is vulnerable to privilege escalation in versions up to, and includ

The Gift Cards (Gift Vouchers and Packages) WordPress Plugin, version <= 4.3.1, is affected by an un

The Woo Bulk Price Update WordPress plugin, in versions < 2.2.2, is affected by a reflected cross-si

The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validat

The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versio

The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is

The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass

The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts w

The Elementor Pro plugin for WordPress is vulnerable to unauthorized data modification due to a miss

The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its event

The Comments Like Dislike plugin for WordPress is vulnerable to unauthorized modification of data du

The LMS by Masteriyo WordPress plugin before 1.6.8 does not properly safeguards sensitive user infor

The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and includi

The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accou

The Blog2Social WordPress plugin before 7.2.1 does not sanitise and escape a parameter before output

The Ditty WordPress plugin before 3.1.25 does not sanitise and escape some parameters and generated

The MasterStudy LMS WordPress Plugin WordPress plugin before 3.0.18 does not have proper checks in p

This User Activity Log WordPress plugin before 1.6.7 retrieves client IP addresses from potentially

This Activity Log WordPress plugin before 2.8.8 retrieves client IP addresses from potentially untru

The URL Shortify WordPress plugin before 1.7.6 does not properly escape the value of the referer hea

The Uploading SVG, WEBP and ICO files WordPress plugin through 1.2.1 does not sanitise uploaded SVG

The DoLogin Security WordPress plugin before 3.7 does not properly sanitize IP addresses coming from

The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validat

The DoLogin Security WordPress plugin before 3.7 uses headers such as the X-Forwarded-For to retriev

The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Co

The WordPress File Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting

The DoLogin Security WordPress plugin before 3.7.1 does not restrict the access of a widget that sho

The Social Media Share Buttons & Social Sharing Icons plugin for WordPress is vulnerable to Sensitiv

The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via

The ChatBot plugin for WordPress is vulnerable to SQL Injection via the $strid parameter in versions

The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate u

The Image horizontal reel scroll slideshow plugin for WordPress is vulnerable to SQL Injection via t

The MpOperationLogs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the IP Req

WordPress does not properly restrict which user fields are searchable via the REST API, allowing una

The Web3 WordPress plugin before 3.0.0 is vulnerable to an authentication bypass due to incorrect au

The WP Fastest Cache WordPress plugin before 1.2.2 does not properly sanitise and escape a parameter

The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does

The Swift Performance Lite WordPress plugin before 2.3.6.15 does not prevent users from exporting th

The 'My Calendar' WordPress Plugin, version < 3.4.22 is affected by an unauthenticated SQL injection

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up

The LearnPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order_by’ par

The Essential Blocks WordPress plugin before 4.4.3 does not prevent unauthenticated attackers from o

The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and in

The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary

The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress pl

The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions

The 10Web AI Assistant – AI content writing assistant plugin for WordPress is vulnerable to unauthor

The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authori

The Travelpayouts: All Travel Brands in One Place WordPress plugin through 1.1.15 is vulnerable to O

The ColorMag theme for WordPress is vulnerable to unauthorized access due to a missing capability ch

The Popup More Popups, Lightboxes, and more popup modules plugin for WordPress is vulnerable to Loca

The 'HTML5 Video Player' WordPress Plugin, version < 2.5.25 is affected by an unauthenticated SQL in

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Mem

The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versio

The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versio

The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versio

The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vuln

The NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With

The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup acti

The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value' a