Latest WordPress Vulnerabilities (Plugins)

For more information’s click on the link. You will be redirected to wpvulndb.com for its details.

31. December 2019
Donorbox 7.1~7.1.1 – Stored Cross-Site Scripting via Shortcode

30. December 2019
Photo Gallery – Image Gallery by Ape <= 2.0.6 - Authenticated Arbitrary Plugin Deactivation

27. December 2019
GDPR Cookie Compliance <= 4.0.2 - Authenticated Settings Reset

26. December 2019
bbPress Login Register Links On Forum Topic Pages <= 2.7.5 - CSRF to Stored XSS

26. December 2019
bbPress Members Only <= 1.2.1 - CSRF on Optional Settings page

25. December 2019
Featured Image from URL <= 2.7.7 - Missing Access Controls on REST routes

22. December 2019
Rencontre <= 3.2.2 - Multiple CSRF

13. December 2019
Quiz And Survey Master < 6.3.5 - Authenticated Reflected XSS

13. December 2019
WordPress <= 5.3 - Stored XSS via Block Editor Content

13. December 2019
WordPress <= 5.3 - Stored XSS via Crafted Links

13. December 2019
ListingPro <= 2.0.14.2 - Reflected & Persistent XSS

13. December 2019
WordPress <= 5.3 - Improper Access Controls

12. December 2019
Superlist <= 2.9.2 - Persistent XSS

12. December 2019
Ultimate Addons for Beaver Builder <= 1.24.0 - Authentication Bypass

12. December 2019
Ultimate Addons for Elementor <= 1.20.0 - Authentication Bypass

11. December 2019
Scoutnet Kalender <= 1.1.0 - Stored Cross-Site Scripting (XSS)

05. December 2019
CSS Hero <= 4.0.3 - Authenticated Reflected XSS

02. December 2019
Mesmerize & Materialis Themes – Authenticated Options Update

21. November 2019
Jetpack 5.1-7.9 – Vulnerability in Embed Code

20. November 2019
WP Maintenance <= 5.0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting

18. November 2019
Sassy Social Share <= 3.3.3 - Reflected Cross-Site Scripting

14. November 2019
Anti-Spam by CleanTalk < 5.127.4 - Cross-Site Scripting Issue

10. November 2019
IgniteUp < 3.4.1 - Multiple Issues

05. November 2019
Safe SVG <= 1.9.4 - Denial of Service

31. October 2019
YIT Plugin Framework <= 3.3.8 - Authenticated Plugin's Settings Change

30. October 2019
Give WP < 2.5.10 - Multiple Issues

28. October 2019
About Author <= 1.3.9 - Authenticated Stored Cross-Site Scripting (XSS)

22. October 2019
InJob <= 3.3.7 - Reflected & Persistent XSS

18. October 2019
Sliced Invoices <= 3.8.2 - Multiple Vulnerabilities

17. October 2019
Zoho CRM Lead Magnet Plugin – Authenticated Cross Site Scripting (XSS)

16. October 2019
EU Cookie Law <= 3.0.6 - Stored XSS

16. October 2019
Broken Link Checker <= 1.11.8 - Authenticated Reflected Cross-Site Scripting (XSS)

09. October 2019
SoundPress <= 2.2.6 - XSS

07. October 2019
Export Users to CSV < 1.4 - Unauthorised CSV Access

02. October 2019
Download Plugins and Themes from Dashboard <= 1.5.0 - Unauthenticated Stored XSS

26. September 2019
Selio – Real Estate Directory <= 1.1 - SQL Injection & Persistent XSS

25. September 2019
DELUCKS SEO <= 2.1.7 - Unauthenticated Options Update

25. September 2019
Rich Reviews <= 1.7.4 - Unauthenticated Plugin Options Update

20. September 2019
Motors Car Dealer & Classified Ads < 1.4.1 - Multiple Issues

20. September 2019
Ultimate FAQ < 1.8.25 - Unauthenticated Options Import/Export

19. September 2019
Advanced AJAX Product Filters < 1.3.7 - Unauthenticated Plugin Settings Update

15. September 2019
Woody Ad Snippets < 2.2.8 - Authenticated Reflected XSS

11. September 2019
SlickQuiz <= 1.3.7.1 - Authenticated SQL Injection

11. September 2019
SlickQuiz <= 1.3.7.1 - Unauthenticated Stored XSS

11. September 2019
Checklist <= 1.1.5 - Unauthenticated Reflected XSS

10. September 2019
Ellipsis Human Presence Technology <= 2.0.8 - Unauthenticated Reflected Cross Site Scripting

10. September 2019
Qwiz Online Quizzes And Flashcards <= 3.36 - Unauthenticated Reflected Cross Site Scripting

09. September 2019
Advanced Access Manager < 5.9.9 - Arbitrary File Access/Download

09. September 2019
Photo Gallery by 10Web < 1.5.35 - SQL Injection & XSS

09. September 2019
LifterLMS <= 3.34.5 - Unauthenticated Options Import

07. September 2019
Search Exclude < 1.2.4 - Arbitrary Settings Change

06. September 2019
ECPay Logistics for WooCommerce <= 1.2.181030 - Unauthenticated Reflected XSS

06. September 2019
API Bearer Auth <= 20181229 - Unauthenticated Reflected XSS

05. September 2019
WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation

05. September 2019
WordPress 5.2.2 – Reflected Cross-Site Scripting (XSS) in Dashboard

05. September 2019
WordPress 5.2.2 – Cross-Site Scripting (XSS) in Shortcode Previews

05. September 2019
WordPress 5.2.2 – Potential Open Redirect

05. September 2019
WordPress <= 5.2.2 - Authenticated Cross-Site Scripting (XSS) in Post Previews

05. September 2019
WordPress 5.2.2 – Cross-Site Scripting (XSS) in Stored Comments

04. September 2019
Spryng Payments for WooCommerce <= 1.6.7 - Unauthenticated Reflected XSS

04. September 2019
Portrait-Archiv.com Photostore <= 3.1 - Unauthenticated Reflected XSS

03. September 2019
Event Tickets <= 4.10.7.1 - CSV Injection

30. August 2019
WooCommerce Product Feed for Google, Facebook, eBay and Many More < 3.1.15 - Authenticated Reflected XSS

30. August 2019
Variation Swatches for WooCommerce < 1.0.62 - Reflected XSS

29. August 2019
Insta Gallery < 2.4.8 - CSRF & Missing Authorisation Checks

29. August 2019
Additional Variation Images for WooCommerce < 1.1.29 - Authenticated Stored XSS

29. August 2019
Social LikeBox & Feed < 2.8.5 - CSRF & XSS

29. August 2019
Shapepress DSGVO < 2.2.19 - Authenticated Reflected XSS

29. August 2019
WooCommerce Address Book < 1.6.0 - CSRF

29. August 2019
HandL UTM Grabber < 2.6.5 - Authenticated Option Change via CSRF

27. August 2019
Nextgen Gallery < 3.2.10 - SQL Injection

27. August 2019
UserPro <= 4.9.33 - Unauthenticated Reflected XSS

24. August 2019
Import Export WordPress Users < 1.3.2 - CSV Injection

24. August 2019
Bold Page Builder < 2.3.2 - Missing Access Controls

22. August 2019
Easy Forms for Mailchimp < 6.5.3 - Code Injection

21. August 2019
Web Librarian < 3.5.5 - SQL Injection

18. August 2019
Easy Property Listings <= 3.3.5 - XSS

15. August 2019
WP SVG Icons <= 3.2.2 - Cross-Site Request Forgery (CSRF) leading to RCE

13. August 2019
Email Subscribers & Newsletters <= 4.1.6 - Cross-Site Scripting (XSS)

13. August 2019
WP Fastest Cache <= 0.8.9.5 - Directory Traversal

13. August 2019
Ultimate Member <= 2.0.53 - Cross-Site Scripting (XSS)

12. August 2019
CformsII <= 15.0.1 - Unauthenticated HTML Injection & CSRF

12. August 2019
Give <= 2.5.0 - SQL Injection

11. August 2019
Simple 301 Redirects Addon Bulk Uploader <= 1.2.4 - Multiple Issues

10. August 2019
ND Restaurant Reservations <= 1.3 - Unauthenticated Options Change

08. August 2019
Login Or Logout Menu Item <= 1.1.1 - Unauthenticated Options Change

08. August 2019
JoomSport <= 3.3 - SQL Injection

06. August 2019
ND Learning <= 4.7 - Unauthenticated Options Change

06. August 2019
Popup Builder <= 3.44 - SQL Injection

05. August 2019
ND Bookings <= 2.4 - Unauthenticated Options Change

04. August 2019
ND Donations <= 1.3 - Unauthenticated Options Change

03. August 2019
Real Estate 7 <= 2.9.0 - Stored XSS

03. August 2019
Travel Management <= 1.5 - Unauthenticated Options Change

03. August 2019
Woody Ad Snippets <= 2.2.4 - Multiple Issues

01. August 2019
Order XML File Export Import for WooCommerce <= 1.2.2 - XSS

31. July 2019
ND Shortcodes For Visual Composer <= 5.8 - Unauthenticated WP Options Update

27. July 2019
Custom Simple RSS <= 2.0.6 - CRSF

27. July 2019
Simple Membership <= 3.8.4 - CSRF

27. July 2019
Pirate Forms <= 1.5.1 - HTML Injection & CSRF

26. July 2019
Photo Gallery <= 1.5.30 - SQL Injection

26. July 2019
Advanced Contact form 7 DB <= 1.6.1 - SQL Injection

26. July 2019
OneSignal Web Push Notifications – Stored XSS

25. July 2019
Contact Form 7 Dynamic Text Extension <= 2.0.2.1 - XSS

25. July 2019
Blog2Social <= 5.5.0 - SQL Injection

25. July 2019
AdRotate Banner Manager <= 5.2 - Authenticated SQL Injection

23. July 2019
WPS Cleaner <= 1.4.4 - Multiple Issues

23. July 2019
WPS Bidouille <= 1.12.2 - Multiple Issues

23. July 2019
WPS Limit Login <= 1.4.5 - Multiple Issues

23. July 2019
WPS Child Themes Generator <= 1.1 - Path Traversal

23. July 2019
WPS Hide Login <= 1.5.2.2 - Multiples Issues

22. July 2019
Adaptive Images for WordPress <= 0.6.66 - Local File Inclusion & Deletion

22. July 2019
Email Subscribers & Newsletters <= 4.1.7 - SQL Injection

18. July 2019
Everest Forms <= 1.4.9 - SQL Injection

17. July 2019
All-in-One WP Migration <= 6.97 - XSS in admin backend

17. July 2019
Coming Soon Page & Maintenance Mode <= 1.8.0 - Unauthenticated Stored XSS

16. July 2019
Appointment Hour Booking <= 1.1.45 - Stored Cross-Site Scripting (XSS)

16. July 2019
WP Custom Body Class <= 0.7.0 - CSRF to Stored XSS and Settings Update

15. July 2019
Ad Inserter <= 2.4.21 - Authenticated Remote Code Execution

12. July 2019
Ad Inserter <= 2.4.19 - Authenticated Path Traversal

12. July 2019
Hybrid Composer <= 1.4.6 - Unauthenticated Options Update

12. July 2019
FV Flowplayer Video Player <= 7.3.18.727 - SQLi

12. July 2019
School Management <= 56.0 - CSRF and Stored XSS

12. July 2019
Ultimate Member <= 2.0.51 CSRF and Stored XSS issues

11. July 2019
One Click SSL <= 1.4.6 - Multiple Issues

11. July 2019
Newsletter Lite <= 4.6.16 - Authenticated Reflected XSS

10. July 2019
File Manager <= 4.8 - Multiple Vulnerabilities

10. July 2019
Yoast SEO 1.2.0-11.5 – Authenticated Stored XSS

09. July 2019
iLive <= 1.0.4 - Stored XSS Injection

09. July 2019
Gallery Photoblocks <= 1.1.42 - Authenticated XSS

09. July 2019
WP Google Maps <= 7.11.34 - CSRF to Stored XSS

09. July 2019
LiveChat <= 3.7.2 - Unauthenticated Option Update/Reset and Stored XSS

09. July 2019
Icegram <= 1.10.28.2 - CSRF in save_gallery_data()

09. July 2019
Custom CSS Pro <= 1.0.3 - CSRF & XSS

09. July 2019
HTML5 Maps <= 1.6.5.6 - CSRF & XSS

09. July 2019
Personalized WooCommerce Cart Page <= 2.4 - Cross-Site Request Forgery (CSRF)

09. July 2019
Contest Gallery <= 10.4.4 - Cross-Site Request Forgery (CSRF)

09. July 2019
Online Lesson Booking <= 0.8.6 - CSRF & XSS

09. July 2019
Attendance Manager <= 0.5.6 - CSRF & XSS

09. July 2019
Zoho SalesIQ <= 1.0.8 - XSS & CSRF

09. July 2019
WP Like Button <= 1.6.0 - Auth Bypass

09. July 2019
WP Slimstat <= 4.8.3 - CSRF to Stored XSS and Setting Updates

08. July 2019
Rencontre – Dating Site <= 3.1.2 - SQLi & XSS

07. July 2019
WooCommerce <= 3.6.4 - Cross-Site Request Forgery (CSRF) & File Type Check

06. July 2019
Appointment Booking Calendar <= 1.3.18 - Unauthenticated Stored XSS

05. July 2019
Gallery Photoblocks <= 1.1.40 - Unauthenticated Reflected XSS

05. July 2019
Zoner – Real Estate <= 4.1 - Reflected & Stored XSS

05. July 2019
MyBookTable <= 3.2.2 - Multiple XSS

05. July 2019
Ocean Extra <= 1.5.8 - Unauthenticated Settings change and CSS injection

05. July 2019
Essential Real Estate <= 1.7.1 - XSS

04. July 2019
Visitors Traffic Real Time Statistics <= 1.12 - CSRF to Stored XSS/SQLi

03. July 2019
WP Statistics <= 12.6.6.1 - Unauthenticated Stored XSS Under Certain Configurations

03. July 2019
Simple Mail Address Encoder <= 1.6.1 - Reflected Authenticated XSS

02. July 2019
Live Chat Unlimited <= 2.8.3 Stored XSS Injection

02. July 2019
Insert or Embed Articulate Content into WordPress <= 4.2999 - Authenticated Arbitrary Folder Deletion and Rename

02. July 2019
Insert or Embed Articulate Content into WordPress <= 4.2998 - Authenticated RCE

02. July 2019
Widget Logic <= 5.10.2 - CSRF and Lack of Authorisation

02. July 2019
WP Statistics <= 12.6.6.1 - Unauthenticated Blind SQL Injection

29. June 2019
Watu Quizz <= 3.1.2.5 - Reflected XSS via question-form.html.php

28. June 2019
360 Product Rotation <= 1.4.7 - Reflected XSS

28. June 2019
Widget Logic <= 5.9.0 - CSRF to RCE

27. June 2019
Block WP Login <= 1.3.0 - CSRF and Unauthorised Option Update

27. June 2019
WebP Converter for Media <= 1.0.2 - CSRF

27. June 2019
ACF Better Search <= 3.3.0 - CSRF

27. June 2019
WP Better Permalinks <= 3.0.4 - CSRF allowing Option Update

27. June 2019
SAML SP Single Sign On <= 4.8.72 - Cross-Site Scripting (XSS)

26. June 2019
WP Ultimate Recipe <= 3.12.6 - Authenticated Stored XSS

26. June 2019
Import users from CSV with meta <= 1.14.1.3 - CSRF

26. June 2019
WebP Express <= 0.14.4 - Authenticated Stored XSS

23. June 2019
Revamp CRM for WooCommerce <= 1.0.3 - LFI

23. June 2019
Custom 404 Pro <= 3.2.7 - Authenticated Reflected XSS

23. June 2019
CP Contact Form with Paypal <= 1.2.97 - Authenticated XSS

22. June 2019
Deny All Firewall <= 1.1.6 - CSRF

21. June 2019
Seo By Rank Math <= 1.0.27.0 - Authenticated Settings Reset

21. June 2019
Sina Extension For Elementor <= 2.2.0 - LFI

21. June 2019
ConvertPlus <= 3.4.4 - Multiple Issues

20. June 2019
Dropshix <= 4.0.11 - Arbitrary Product Import

19. June 2019
Shortlinks by Pretty Links <= 2.1.9 - Stored XSS and CSV Injection

19. June 2019
Facebook for WooCommerce <= 1.9.12 - CSRF allowing arbitrary Option Update

18. June 2019
Ninja Forms <= 3.3.21 - XSS and SQLi

18. June 2019
Easy Pdf Restaurant Menu Upload <= 1.1.1 - XSS

18. June 2019
GA Backend Tracking <= 1.2 - XSS

18. June 2019
Support Board – Chat And Help Desk | Support & Chat <= 1.2.8 Stored XSS

18. June 2019
Seo by Rank Math <= 1.0.26 - XSS Issues

18. June 2019
Messenger Customer Chat <=1.2 - CSRF

16. June 2019
WebP Express <= 0.14.0 - CSRF Issues

14. June 2019
WP-Members <= 3.2.7 CSRF Issue

12. June 2019
Breadcrumbs by menu <= 1.0.1 Multiple Issues

12. June 2019
Finale WooCommerce Sale Countdown <= 2.9.0 Arbitrary File Upload

12. June 2019
Related YT Videos <= 1.9.8 - CSRF & XSS

12. June 2019
Affiliates Manager <= 2.6.5 - CRSF Issues

12. June 2019
Easy Download Manager <= 2.9.15 - Stored XSS

12. June 2019
Download Manager <= 2.9.96 - Various Sanitisation Issues

12. June 2019
WP Google Maps <= 7.11.27 - Admin Settings CSRF

11. June 2019
WP Statistics <= 12.6.5 - Authenticated Stored XSS

07. June 2019
User Submitted Posts <= 20190426 Arbitrary File Upload

07. June 2019
Crelly Slider <= 1.3.4 Arbitrary File Upload

01. June 2019
Paid Memberships Pro <= 2.0.5 - Authenticated Open Redirect

31. May 2019
Hustle <= 6.0.7 - Unauthenticated CSV Injection

30. May 2019
ConvertPlus <= 3.4.2 - Unauthenticated Arbitrary User Role Creation

29. May 2019
JobCareer | Job Board Responsive WordPress Theme v2.5 Stored XSS Injection

29. May 2019
Traveler – Travel Booking WordPress Theme v2.7.1 Reflected & Stored XSS Injections

29. May 2019
Slick Popup – Privilege Escalation

29. May 2019
WP Database Backup <= 5.1.2 - Unauthenticated OS Command Injection

27. May 2019
Event Management Tickets Booking By Event Monster <=1.0.5 Stored XSS

27. May 2019
Carts Guru – Unauthenticated Object Injection

27. May 2019
Virim – Unauthenticated Object Injection

27. May 2019
Hostel Plugin <=1.1.3 - Unauthenticated Stored XSS

27. May 2019
Simple File List Plugin <=3.2.4 - Arbitrary File Delete

27. May 2019
Simple File List Plugin <=3.2.4 - Arbitrary File Download

24. May 2019
Form Maker by 10Web <= 1.13.2 - Authenticated SQL Injection

22. May 2019
Slimstat < 4.8.1 Stored XSS from Visitors

22. May 2019
WP Booking System <= 1.5.1.1 - CSRF to Authenticated SQL Injection

22. May 2019
Live Chat with Facebook Messenger <= 1.4.6 - Stored XSS

22. May 2019
wp-graphql <= 0.2.3 Multiple exploits

21. May 2019
Newsletter Manager – Unauthenticated Open Redirect

20. May 2019
FV Flowplayer Video Player <= 7.3.14.727 - CSV Export

20. May 2019
FV Flowplayer Video Player <= 7.3.14.727 - SQL Injection

20. May 2019
FV Flowplayer Video Player <= 7.3.13.727 - Unauthenticated Stored XSS

17. May 2019
WP Live Chat Support <= 8.0.26 - Unauthenticated Stored XSS

14. May 2019
Ultimate Member <= 2.0.45 - Multiple Vulnerabilities

14. May 2019
Register IPs <= 1.8.0 - Unauthenticated Stored Cross-Site Scripting (XSS)

10. May 2019
Custom Field Suite <= 2.5.14 - Authenticated Cross-Site Scripting (XSS)

10. May 2019
Ninja Forms File Uploads Extension <= 3.0.22 - Unauthenticated Arbitrary File Upload

07. May 2019
Cryptographic signature bypass in w3-total-cache < 0.9.7.4

07. May. 2019
SSRF / RCE via phar:// in w3-total-cache < 0.9.7.4

07. May 2019
Reflected XSS in w3-total-cache < 0.9.7.4

04. May 2019
Download All-in-One Event Calendar <= 2.5.38 - Cross-Site Scripting (XSS)

03. May 2019
My Calendar <= 3.1.9 - Unauthenticated Cross-Site Scripting (XSS)

02. May 2019
Blog Designer <= 1.8.10 - Unauthenticated Stored Cross-Site Scripting (XSS)

Liability disclaimer

The information presented on these pages are not intended to be regarded as legally binding. Since pages published on the internet are often changed, the contents, representations and images/videos must be evaluated as found. Jaispirit Co., Ltd. assumes no liability for any possible damages, loss of earnings or other economic losses incurred as a result of the information, texts or contexts presented on these pages.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply