WordPress Plugin Vulnerabilities
- LifterLMS < 3.37.15 – Arbitrary File Writing
- WordPress SEO Plugin – Rank Math < 1.0.41 – Redirect Creation via Unprotected REST API Endpoint
- WordPress SEO Plugin – Rank Math < 1.0.41 – Privilege Escalation via Unprotected REST API Endpoint
- Elementor Page Builder < 2.9.6 – Authenticated Safe Mode Privilege Escalation
- CM Pop-Up banners < 1.4.11 – Authenticated Stored XSS
- IMPress for IDX Broker < 2.6.2 – Authenticated Post Creation, Modification, and Deletion
- IMPress for IDX Broker < 2.6.2 – Authenticated Stored Cross-Site Scripting (XSS) via unprotected ‘idx_update_recaptcha_key’ AJAX
- All-in-One WP Migration < 7.15 – Arbitrary Backup Download
- Product Lister for Walmart <= 1.0.0 – Unauthenticated RCE via Outdated PHPUnit
- Multiple plugins – Unauthenticated Dompdf Local File Inclusion (LFI)
- Data Tables Generator By Supsystic < 1.9.92 – CSRF to Stored XSS, Data Table Creations, Settings Modification
- Data Tables Generator By Supsystic < 1.9.92 – Authenticated Stored XSS
- Data Tables Generator By Supsystic < 1.9.92 – Insecure Permissions on AJAX Actions
- Cookiebot < 3.6.1 – Authenticated Reflected Cross-Site Scripting (XSS)
- WPvivid Backup < 0.9.36 – Missing Authorization Leading To Database Leak
- Gutenberg & Elementor Templates Importer For Responsive < 2.2.6 – Unprotected AJAX Endpoints
- Advanced Ads < 1.17.4 – Authenticated Reflected XSS via Admin Dashboard
- Custom Post Type UI < 1.7.4 – CSRF to Stored XSS
- Newsletter < 6.5.4 – CSV Injection
- LearnPress < 3.2.6.7 – Privilege Escalation
- WordPress File Upload < 4.13.0 – Directory Traversal to RCE
- Popup Builder < 3.64.1 – Multiple Issues
- Multiple WebToffee Plugins – Cross-Site Request Forgery (CSRF) Issue
- Import Export WordPress Users < 1.3.9 – Authenticated Arbitrary User Creation
- Search Meter <= 2.13.2 – CSV Injection
- MStore API < 2.1.6 – Unauthenticated Arbitrary Account Creation/Edition
- Font Awesome 4.0.0-RC15 & RC16 – API Token & Access Token Disclosure
- WPML < 4.3.7 – Authenticated Cross Site Request Forgery leading to Remote Code Execution
- WP Security Audit Log < 4.0.2 – Broken Access Control in First-Time Install Wizard
- Custom Searchable Data Entry System <= 1.7.1 – Unauthenticated Data Modification and Deletion (0-day, being exploited)
- RegistrationMagic – Custom Registration Forms and User Login < 4.6.0.4 – Multiple Critical Issues
- WP Advanced Search < 3.3.4 – Unauthenticated Database Access and Remote Code Execution (RCE)
- WPForms < 1.5.9 – Authenticated Cross Site Scripting (XSS)
- Brizy – Page Builder < 1.0.114 – Unauthenticated Site Settings Update
- Appointment Booking Calendar < 1.3.35 – CSV Injection
- Appointment Booking Calendar < 1.3.35 – Authenticated Stored Cross-Site Scripting (XSS)
- WooCommerce Smart Coupons < 4.6.5 – Unauthenticated Coupon Creation
- Testimonial < 2.1.7 – Authenticated Stored Cross-Site Scripting (XSS)