Wordfence Intelligence Weekly WordPress Vulnerability Report (January 6, 2025 to January 12, 2025)

Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

Last week, there were 354 vulnerabilities disclosed in 321 WordPress Plugins and 23 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 67 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 22,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• WAF-RULE-793 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
SOPROBRO	54
vgo0	34
João Pedro Soares de Alcântara	22
Lucio Sá	19
Hassan Khan Yusufzai – Splint3r7	16
zaim	14
Peter Thaleikis	12
0xd4rk5id3	11
Bob Matyas	10
Mika	8
Dhabaleshwar Das	8
yudha	8
zakaria	7
Francesco Carlucci	7
Colin Xu	7
Tieu Pham Trong Nhan	7
Le Ngoc Anh	7
Abdi Pranata	6
Webbernaut	6
Caesar Evan Santoso	5
zer0gh0st	5
theviper17y	5
stealthcopter	4
SavPhill (Savphill)	3
Khalid Yusuf	3
abrahack	3
Noah Stead (TurtleBurg)	3
Ankit Patel	3
LVT-tholv2k	3
Dimas Maulana	3
Thanh Nam Tran	3
Ryan Zegar	2
BrokenAC ignore	2
Pham Van Tam	2
Trương Hữu Phúc (truonghuuphuc)	2
Robert DeVore	2
Frissi0n	2
Michael	2
1337_Wannabe	2
shaman0x01	2
Arkadiusz Hydzik	2
Brian Sans-Souci (liardom)	2
Gab	2
Joshua Chan	2
thiennv	2
Edisc	1
István Márton	1
Webula	1
Tonn	1
villu164	1
Brian Mungai	1
incognito	1
nvthien	1
minhtuanact	1
Yamil	1
hunter85	1
Rafie Muhammad	1
akas wisnu aji	1
Ross Harper	1
Nguyen Vuong Quoc	1
Ananda Dhakal	1
PetrusViet	1
Apostolos Sakellariou	1
Régis SENET	1
wesley (wcraft)	1
Nishiv	1
Sharanabasappa	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
1003 Mortgage Application	1003-mortgage-application
140+ Widgets | Xpro Addons For Elementor – FREE	xpro-elementor-addons
3DVieweronline	3dvieweronline-wp
4ECPS Web Forms	4ecps-webforms
A5 Custom Login Page	custom-login-page
Able Player for WordPress	wp-able-player
Accordion Slider Lite	accordion-slider-lite
Action Network	wp-action-network
AddFunc Mobile Detect	addfunc-mobile-detect
Admin debug wordpress – enable debug	dzs-enable-debug
Advanced Product Information for WooCommerce	woo-advanced-product-information
Affiliate Disclosure Statement	affiliate-disclosure-statement
AI for SEO – Bulk Generate Metadata, Alt Text, Image Titles, Captions, Descriptions	ai-for-seo
AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K)	ai-scribe-the-chatgpt-powered-seo-content-creation-wizard
AI WP Writer – automatic content creator, ChatGPT, GPT-4, Dalle 3, FLUX	ai-wp-writer
Alpha Price Table For Elementor	alpha-price-table-for-elementor
Altra Side Menu	altra-side-menu
App Embed	appizy-app-embed
Arcade Ready	arcadeready
ARS Affiliate Page Plugin	ars-affiliate-page
Author Avatars List/Block	author-avatars
Automate Hub Free by Sperse.IO	automate-hub-free-by-sperse-io
Axact Author List Widget	knr-author-list-widget
Better User Shortcodes	better-user-shortcodes
Biltorvet Dealer Tools	biltorvet-dealer-tools
Binary MLM Woocommerce	woo-binary-mlm
Bitly’s WordPress Plugin	wp-bitly
Bizapp for WooCommerce	bizapp-for-woocommerce
Black Widgets For Elementor	black-widgets
Booking Calendar Pro WpDevArt	booking-calendar-pro
Booking calendar, Appointment Booking System	booking-calendar
Boot-Modal	boot-modal
Bootstrap Blocks for WP Editor v2	wp-editor-bootstrap-blocks
BP Profile Shortcodes Extra	bp-profile-shortcodes-extra
Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin	bus-ticket-booking-with-seat-reservation
Button Block – Get fully customizable & multi-functional buttons	button-block
BWD Elementor Addons (2500+ presets, Meet The Team, Lottie, Lord Icon, Masking, Woocommerce, Theme Builder, Products, Blogs, CV, Contact Form 7 Styler, Header, Slider, Hero Section)	bwd-elementor-addons
Candifly	candifly
Canvasflow for WordPress	canvasflow
CC Canadian Mortgage Calculator	cc-canadian-mortgage-calculator
CF Internal Link Shortcode	internal-link-shortcode
Chat Support for Viber – Chat Bubble and Chat Button for Gutenberg, Elementor and Shortcode	chat-viber
ChatBot Conversational Forms	conversational-forms
Chative Live chat and Chatbot	chative-live-chat-and-chatbot
Chatroll Live Chat	chatroll-live-chat
Clasify Classified Listing	clasify-classified-listing
ClickDesigns	clickdesigns
ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages	clickwhale
CLUEVO LMS, E-Learning Platform	cluevo-lms
Common Ninja: Fully Customizable & Perfectly Responsive Free Widgets for WordPress Websites	common-ninja
Compare Products for WooCommerce	woocommerce-compare-products
Competition Form	competition-form
Content Blocks Builder – Create block, variation, repeater block with carousel, grid, accordion, popup, off-canvas layout	content-blocks-builder
Cost Calculator Builder PRO	cost-calculator-builder-pro
Coupon Plugin	coupon-lite
Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups	coupon-x-discount-pop-up
Croma Music	croma-music
CubeWP Forms – All-in-One Form Builder	cubewp-forms
Custom DataBase Tables	custom-database-tables
Custom Field For WP Job Manager	custom-field-for-wp-job-manager
Custom Field Manager	custom-field-manager
Custom Product Tabs for WooCommerce	yikes-inc-easy-custom-woocommerce-product-tabs
Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer	3d-flipbook-dflip-lite
Deliver via Shipos for WooCommerce	wc-shipos-delivery
Dental Optimizer Patient Generator App	dental-optimizer-patient-generator-app
Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler	cf7-styler
DirectoryPress – Business Directory And Classified Ad Listing	directorypress
Dominion – Domain Checker for WPBakery	dominion-domain-checker-wpbakery-addon
Donation Block For PayPal	donations-block
Duplicate Post, Page and Any Custom Post	duplicate-pp
Dyn Business Panel	dyn-business-panel
Easy Form Builder – WordPress plugin form builder: contact form, survey form, payment form, and custom form builder	easy-form-builder
ECT Home Page Products	ect-homepage-products
eDoc Easy Tables – Best WordPress Table Maker	edoc-easy-tables
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)	bdthemes-element-pack-lite
Elementor Addons AI Addons – 70 Widgets, Premium Templates, Ultimate Elements	ai-addons-for-elementor
Email Templates Customizer for WordPress – Drag And Drop Email Templates Builder – YeeMail	yeemail
Emailing Subscription	email-suscripcion
Enable Accessibility	enable-accessibility
Error Log Viewer By WP Guru	error-log-viewer-wp
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates	essential-blocks
Essential WP Real Estate	essential-wp-real-estate
Estatik Mortgage Calculator	estatik-mortgage-calculator
Export Import Menus	export-import-menus
F4 Post Tree	f4-tree
FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor	post-block
Fantastic ElasticSearch	fantastic-elasticsearch
Fast Tube	fast-tube
FAT Event Lite	fat-event-lite
Featured Page Widget	featured-page-widget
Files Download Delay	files-download-delay
Financial Stocks & Crypto Market Data Plugin	live-stock-prices-for-wordpress
Food Store – Online Food Delivery & Pickup	food-store
Formaloo Form Maker & Customer Analytics for WordPress & WooCommerce	formaloo-form-builder
Free WooCommerce Theme 99fy Extension	99fy-core
Garden Gnome Package	garden-gnome-package
GatorMail SmartForms	gatormail-smart-forms
GDY Modular Content	gdy-modular-content
Genesis Style Shortcodes	genesis-style-shortcodes
Geo Content	geo-targetly-geo-content
Gift Cards for WooCommerce Pro	gift-cards-for-woocommerce-pro
GiveWP – Donation Plugin and Fundraising Platform	give
Google Maps Travel Route	google-maps-travel-route
Greenshift – animation and page builder blocks	greenshift-animation-and-page-builder-blocks
Grid Accordion Lite	grid-accordion-lite
GS Insever Portfolio	gs-instagram-portfolio
Gutenberg Blocks with AI by Kadence WP – Page Builder Features	kadence-blocks
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor	gutentor
Happy Addons for Elementor	happy-elementor-addons
Hash Elements	hash-elements
Help Scout	help-scout
Hero Banner Ultimate	hero-banner-ultimate
Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress	hive-support
Horoscope And Tarot	horoscope-and-tarot
Host PHP Info	host-php-info
Huurkalender WP	huurkalender-wp
Icons Enricher	icons-enricher
ICS Button	ics-button
iframe to embed	iframe-to-embed
Image Magnify	image-magnify
Infility Global	infility-global
InfiniteWP Client	iwp-client
Inline Tweets	inline-tweets
Instabot: Chatbot to Increase Conversions on WordPress. Try for Free	instabot
JK Html To Pdf	jk-html-to-pdf
JoomSport – for Sports: Team & League, Football, Hockey & more	joomsport-sports-league-results-management
jQuery TwentyTwenty	js-twentytwenty
Jupiter X Core	jupiterx-core
Justified Image Gallery	justified-image-gallery
Laika Pedigree Tree	laika-pedigree-tree
LazyLoad Background Images	lazyload-background-images
Legacy ePlayer	sportspress-tv
Linear	linear
Link Whisper Free	link-whisper
linkID	linkid
List Pages at Depth	list-pages-at-depth
Live Flight Radar	live-flight-radar
Live Sales Notification for Woocommerce – Woomotiv	woomotiv
LucidLMS	lucidlms
Mailing Group Listserv	wp-mailing-group
Marketplace Items	marketplace-items
MAS Elementor	mas-addons-for-elementor
Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations	master-addons
mcjh button shortcode	mcjh-button-shortcode
MDTF – Meta Data and Taxonomies Filter	wp-meta-data-filter-and-taxonomy-filter
Member Access	member-access
Metadata SEO	metadata-seo
Meteor Slides	meteor-slides
MIMO Woocommerce Order Tracking	mimo-woocommerce-order-tracking
Mind Doodle Visual Sitemaps & Tasks	mind-doodle-sitemap
MindValley Super PageMash	mindvalley-pagemash
MIPL WC Multisite Sync – Synchronize WC Products, Orders, Customers & Coupons across multiple sites	mipl-wc-multisite-sync
Modula Image Gallery	modula-best-grid-gallery
MT Addons for Elementor	mt-addons-for-elementor
Muslim Prayer Time-Salah/Iqamah	masjidal
MyBookTable Bookstore by Stormhill Media	mybooktable
NC Wishlist for Woocommerce	nc-wishlist-for-woocommerce
News Publisher Autopilot	wpm-news-api
News Ticker Widget for Elementor	news-ticker-widget-for-elementor
Newsletter2Go	newsletter2go
Norse Rune Oracle Plugin	norse-runes-oracle
Optimize Your Campaigns – Google Shopping – Google Ads – Google Adwords	muzaara-adwords-optimize-dashboard
Orbit Fox by ThemeIsle	themeisle-companion
Passster – Password Protect Pages and Content	content-protector
PayGreen Payment Gateway	paygreen-payment-gateway
PayU CommercePro Plugin	payu-india
PDF Catalog Woocommerce	pdf-catalog-woocommerce
Perfect Portal Widgets	perfect-portal-widgets
PixelYourSite – Your smart PIXEL (TAG) & API Manager	pixelyoursite
PIXNET Plugin	pixnet
Plugin Name: ldap_login_password_and_role_manager	ldap-login-password-and-role-manager
Popup – MailChimp, GetResponse and ActiveCampaign Intergrations	ultimate-popup-creator
Post And Page Reactions	post-and-page-reactions
Post Duplicator	post-duplicator
Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder	ajax-filter-posts
Post Saint: ChatGPT, GPT4, DALL-E, Stable Diffusion, Pexels, Dezgo AI Text & Image Generator	post-saint
Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more	post-smtp
Prayer Times Anywhere	prayer-times-anywhere
Pretty Url	pretty-url
Privacy Policy Genius	policy-genius
Product Table for WooCommerce by CodeAstrology (wooproducttable.com)	woo-product-table
Push Notification for Post and BuddyPress	push-notification-for-post-and-buddypress
Pósturinn’s Shipping with WooCommerce	posturinn
Qr Code and Barcode Scanner Reader	qr-code-and-barcode-scanner-reader
Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress	quillforms
Quote Tweet	quote-tweet
Rental and Booking Manager for Bike, Car, Dress, Resort with WooCommerce Integration – WpRently | WordPress plugin	booking-and-rental-manager-for-woocommerce
ResAds	resads
Responsive Flickr Slideshow	mobile-friendly-flickr-slideshow
Responsive FlipBook Plugin WordPress	responsive-flipbook
RightMessage WP	rightmessage
RRAddons for Elementor	rrdevs-for-elementor
RSVP and Event Management	rsvp
S3Player – WooCommerce & Elementor Integration	drm-protected-video-streaming
Same but Different – Related Posts by Taxonomy	same-but-different
Saoshyant Page Builder	saoshyant-page-builder
Scan External Links	scan-external-links
Scanventory	woocommerce-inventory-management
School Management System – SakolaWP	sakolawp-lite
School Management System – WPSchoolPress	wpschoolpress
Searchie	searchie
Sell Digital Downloads	sell-digital-downloads
Sell Media	sell-media
Sellsy	sellsy
SEMA API	sema-api
SEO Keywords	seo-keywords
SEO LAT Auto Post	seo-beginner-auto-post
Service Box	service-boxs
Shipping via Planzer for WooCommerce	wc-planzer-shipping
Shopping Cart & eCommerce Store	wp-easycart
Show Google Analytics widget	show-google-analytics-widget
Simple add pages or posts	simple-add-pages-or-posts
Simple Photo Sphere	simple-photo-sphere
Simple Video Management System	simple-video-management-system
SimplyRETS Real Estate IDX	simply-rets
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)	sina-extension-for-elementor
SingSong	singsong
Site PIN	site-pin
Skill Bars	skillbars
SKT Page Builder	skt-builder
Skyword API Plugin	skyword-plugin
SlideDeck 1 Lite Content Slider	slidedeck-lite-for-wordpress
Slider Pro Lite	slider-pro-lite
Slides & Presentations	slide
Slotti Ajanvaraus	slotti-ajanvaraus
Smart Agenda – Prise de rendez-vous en ligne	smart-agenda-prise-de-rendez-vous-en-ligne
Smart Custom Fields	smart-custom-fields
SmartEmailing.cz	smartemailing
Smoothness Slider Shortcode	smoothness-slider-shortcode
SMS Alert Order Notifications – WooCommerce	sms-alert
Social Rocket – Social Sharing Plugin	social-rocket
Social Share Buttons for WordPress	share-buttons
Solar Wizard Lite	solar-wizard-lite
Spacer	spacer
SpeakOut! Email Petitions	speakout
ST Gallery WP	st-gallery-wp
Store credit / Gift cards for woocommerce	store-credit-for-woocommerce
Surbma | Premium WP	surbma-premium-wp
SureForms – Drag and Drop Form Builder for WordPress	sureforms
SweepWidget Contests, Giveaways, Photo Contests, Competitions	sweepwidget
Tabulate	tabulate
TCBD Auto Refresher	tcbd-auto-refresher
TemplatesNext ToolKit	templatesnext-toolkit
The Ultimate WordPress Toolkit – WP Extended	wpextended
Themes Coder – Create Android & iOS Apps For Your Woocommerce Site	tc-ecommerce
Themesflat Addons For Elementor	themesflat-addons-for-elementor
ThePerfectWedding.nl Widget	theperfectweddingnl-widget
Thim Elementor Kit	thim-elementor-kit
Timeline Designer	timeline-designer
Timeline Pro	timeline-pro
Title Experiments Free	wp-experiments-free
Tock Widget	tock-widget
Toggles Shortcode and Widget	toggles-shortcode-and-widget
Trackserver	trackserver
Transporters.io	transportersio
TRUSTist REVIEWer	trustist-reviewer
TubePress.NET	tubepressnet
Twitter Bootstrap Collapse aka Accordian Shortcode	twitter-bootstrap-collapse-aka-accordian-shortcode
Typing Text	typing-text
Ukrposhta	woo-ukrposhta
Ultimate Gift Cards for WooCommerce – Create WooCommerce Gift Cards, Gift Vouchers, Redeem & Manage Digital Gift Coupons. Offer Gift Certificates, Schedule Gift Cards, and Use Advance Coupons With Personalized Templates	woo-gift-cards-lite
Ultimate Image Hover Effects	ultimate-image-hover-effects
Unilevel MLM Plan	unilevel-mlm-plan
Unlimited Elements For Elementor	unlimited-elements-for-elementor
Unlimited Theme Addon For Elementor and WooCommerce	unlimited-theme-addons
Uptime Robot	uptime-robot
Uptodown APK Download Widget	uptodown-apk-download-widget
Urdu Formatter – Shamil	urdu-formatter-shamil
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor	profile-builder
Video Embed Optimizer	video-embed-optimizer
ViewMedica 9	viewmedica
Virtual Bot	virtual-bot
VR Views	vr-views
WC Price History	wc-price-history
WC1C	wc1c-main
WE Blocks – Image, Testimonial And Logo Slider Gutenberg Blocks	we-blocks
WhatsApp click to chat	manycontacts-bar
Widgetize Pages Light	widgetize-pages-light
Woocommerce check pincode/zipcode for shipping	woocommerce-check-pincode-zipcode-for-shipping
WooCommerce Digital Content Delivery (incl. DRM) – FlickRocket	woocommerce-digital-content-delivery-with-drm-flickrocket
WooCommerce HSS Extension for Streaming Video	woocommerce-hss-extension-for-streaming-video
WOOEXIM – WooCommerce Export Import Plugin	wooexim
WordLift – AI powered SEO – Schema	wordlift
WordPress File Upload	wp-file-upload
WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto	tripetto
WordPress Google Map Professional (Map In Your Language)	google-map-professional
WordPress Header Builder Plugin – Pearl	pearl-header-builder
WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress	wp-survey-and-poll
WordPress Webinar Plugin – WebinarPress	wp-webinarsystem
WordPress连接微博	wp-connect
WP Cookie	wp-cookie
wp custom countdown	wp-custom-countdown
WP Database Backup – Unlimited Database & Files Backup by Backup for WP	wp-database-backup
WP Delete Post Copies	etruel-del-post-copies
WP FullCalendar	wp-fullcalendar
WP Github	wp-github
WP Header Notification	wp-header-notification
wp Hosting Performance Check	wp-hosting-performance-check
WP Job Portal – A Complete Recruitment System for Company or Job Board website	wp-job-portal
WP Joomag	wp-joomag
WP jQuery DataTable	wp-jquery-datatable
WP Mailster	wp-mailster
WP MediaTagger	wp-mediatagger
WP Music Player	wp-music-player
WP SPID Italia	wp-spid-italia
WP Travel – Ultimate Travel Booking System, Tour Management Engine	wp-travel
WP Triggers Lite	wp-triggers-lite
WP Visitor Statistics (Real Time Traffic)	wp-stats-manager
WP Wand – AI Writer, AI Content Generator & AI Assistant by ChatGPT, OpenAI | Generate SEO Friendly AI Blog Post & Article with 20X Speed	ai-content-generation
WP Youtube Gallery	wp-youtube-gallery
WP – Bulk SMS – by SMS.to	wp-bulk-sms
WPBITS Addons For Elementor Page Builder	wpbits-addons-for-elementor
WPBookit	wpbookit
WPEX Replace DB Urls	wpex-replace
WPListCal	wplistcal
WPMU Prefill Post	wpmu-prefill-post
YOGO Booking	yogo-booking
Yumpu E-Paper publishing	yumpu-epaper-publishing
Zephyr Admin Theme	zephyr-modern-admin-theme
فرم ساز فرم افزار	formafzar
아임포트 결제버튼 생성 플러그인	iamport-payment

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

4ECPS Web Forms <= 0.2.18 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-22504

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
4ECPS Web Forms

Researcher

João Pedro Soares de Alcântara

More Details >

FAT Event Lite <= 1.1 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-22508

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
FAT Event Lite

Researcher

Dimas Maulana

More Details >

GiveWP – Donation Plugin and Fundraising Platform <= 3.19.2 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-12877

Patch Status
Patched

Published
Jan 10, 2025

Affected Software
GiveWP – Donation Plugin and Fundraising Platform

Researcher

PetrusViet

More Details >

GiveWP – Donation Plugin and Fundraising Platform <= 3.19.3 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-22777

Patch Status
Patched

Published
Jan 10, 2025

Affected Software
GiveWP – Donation Plugin and Fundraising Platform

Researcher

Edisc

More Details >

PayU CommercePro Plugin <= 3.8.3 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-12264

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
PayU CommercePro Plugin

Researcher

wesley (wcraft)

More Details >

Post Grid Master <= 3.4.12 – Missing Authorization to Unauthenticated Local PHP File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-11642

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder

Researcher

1337_Wannabe

More Details >

School Management System – SakolaWP <= 1.0.8 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-12470

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
School Management System – SakolaWP

Researcher

Thanh Nam Tran

More Details >

SEO LAT Auto Post <= 2.2.1 – Missing Authorization to File Overwrite/Upload (Remote Code Execution)

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-12252

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
SEO LAT Auto Post

Researcher

Lucio Sá

More Details >

Themes Coder – Create Android & iOS Apps For Your Woocommerce Site <= 1.3.4 – Insecure Direct Object Reference to Password Change/Account Takeover/Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-12402

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Themes Coder – Create Android & iOS Apps For Your Woocommerce Site

Researcher

Tieu Pham Trong Nhan

More Details >

WordPress File Upload <= 4.24.12 – Unuathenticated Remote Code Execution

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-11635

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
WordPress File Upload

Researcher

abrahack

More Details >

WordPress File Upload <= 4.24.15 – Unauthenticated Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-11613

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
WordPress File Upload

Researcher

abrahack

More Details >

WPBookit <= 1.6.4 – Unauthenticated Arbitrary User Password Change

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-10215

Patch Status
Patched

Published
Jan 9, 2025

Affected Software
WPBookit

Researcher

István Márton

More Details >

Croma Music <= 3.6 – Authenticated (Subscriber+) Arbitrary Options Update in ironMusic_ajax

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-12202

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Croma Music

Researcher

Tonn

More Details >

Garden Gnome Package <= 2.3.0 – Authenticated (Author+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-12854

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Garden Gnome Package

Researcher

Lucio Sá

More Details >

Hero Banner Ultimate <= 1.4.2 – Authenticated (Author+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-22305

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Hero Banner Ultimate

Researcher

João Pedro Soares de Alcântara

More Details >

Modula Image Gallery <= 2.11.10 – Authenticated (Author+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-12853

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Modula Image Gallery

Researcher

SavPhill (Savphill)

More Details >

Post Saint: ChatGPT, GPT4, DALL-E, Stable Diffusion, Pexels, Dezgo AI Text & Image Generator <= 1.3.1 – Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-12471

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Post Saint: ChatGPT, GPT4, DALL-E, Stable Diffusion, Pexels, Dezgo AI Text & Image Generator

Researcher

Lucio Sá

More Details >

SKT Page Builder <= 4.6 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-12848

Patch Status
Patched

Published
Jan 8, 2025

Affected Software
SKT Page Builder

Researchers

stealthcopter

theviper17y

More Details >

SMS Alert Order Notifications – WooCommerce <= 3.7.6 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-11725

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
SMS Alert Order Notifications – WooCommerce

Researcher

1337_Wannabe

More Details >

The Ultimate WordPress Toolkit – WP Extended <= 3.0.11 – Missing Authorization to Authenticated (Subscriber+) Remote Code Execution

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-11816

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
The Ultimate WordPress Toolkit – WP Extended

Researchers

stealthcopter

theviper17y

More Details >

ThePerfectWedding.nl Widget <= 2.8 – Cross-Site Request Forgery to Stored Cross-Site Scripting

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-12322

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
ThePerfectWedding.nl Widget

Researcher

vgo0

More Details >

WordPress Webinar Plugin – WebinarPress <= 1.33.24 – Missing Authorization to Authenticated (Subscriber+) Arbitrary File Creation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-11270

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
WordPress Webinar Plugin – WebinarPress

Researcher

Lucio Sá

More Details >

WordPress Webinar Plugin – WebinarPress <= 1.33.24 – Missing Authorization to Authenticated (Subscriber+) Webinar Updates

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-11271

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
WordPress Webinar Plugin – WebinarPress

Researcher

Lucio Sá

More Details >

Host PHP Info <= 1.0.4 – Missing Authorization to Unauthenticated Sensitive Information Disclosure

8.6

CVSS Rating
High (8.6)

CVE-ID
CVE-2024-12535

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Host PHP Info

Researcher

Francesco Carlucci

More Details >

linkID <= 0.1.2 – Missing Authorization to Unauthenticated Sensitive Information Exposure

8.6

CVSS Rating
High (8.6)

CVE-ID
CVE-2024-12542

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
linkID

Researcher

Francesco Carlucci

More Details >

Compare Products for WooCommerce <= 3.2.1 – Unauthenticated PHP Object Injection

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2024-12313

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Compare Products for WooCommerce

Researcher

Brian Sans-Souci (liardom)

More Details >

CF Internal Link Shortcode <= 1.1.0 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-12404

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
CF Internal Link Shortcode

Researcher

Frissi0n

More Details >

Cost Calculator Builder PRO <= 3.2.15 – Unauthenticated SQL Injection via data

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-11939

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Cost Calculator Builder PRO

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups <= 1.3.5 – Missing Authorization to Authenticated (Contributor+) PHP Object Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-12627

Patch Status
Patched

Published
Jan 10, 2025

Affected Software
Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups

Researcher

Lucio Sá

More Details >

Emailing Subscription <= 1.4.1 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-22540

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Emailing Subscription

Researcher

João Pedro Soares de Alcântara

More Details >

Error Log Viewer By WP Guru <= 1.0.1.3 – Missing Authorization to Unauthenticated Arbitrary File Read

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-12849

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Error Log Viewer By WP Guru

Researcher

yudha

More Details >

MIPL WC Multisite Sync <= 1.1.5 – Unauthenticated Arbitrary File Download

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-12152

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
MIPL WC Multisite Sync – Synchronize WC Products, Orders, Customers & Coupons across multiple sites

Researcher

nvthien

More Details >

Popup – MailChimp, GetResponse and ActiveCampaign Intergrations <= 3.2.6 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-12157

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Popup – MailChimp, GetResponse and ActiveCampaign Intergrations

Researcher

Lucio Sá

More Details >

Ultimate Gift Cards for WooCommerce <= 3.0.6 – Missing Authorization to Infinite Money Glitch

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-11423

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Gift Cards for WooCommerce Pro
Ultimate Gift Cards for WooCommerce – Create WooCommerce Gift Cards, Gift Vouchers, Redeem & Manage Digital Gift Coupons. Offer Gift Certificates, Schedule Gift Cards, and Use Advance Coupons With Personalized Templates

Researcher

Ross Harper

More Details >

Virtual Bot <= 1.0.0 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-22542

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Virtual Bot

Researcher

Caesar Evan Santoso

More Details >

Woomotiv <= 3.6.1 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-12416

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Live Sales Notification for Woocommerce – Woomotiv

Researcher

Frissi0n

More Details >

WordPress File Upload <= 4.24.13 – Unauthenticated Path Traversal to Arbitrary File Read in wfu_file_downloader.php

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-9939

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
WordPress File Upload

Researcher

abrahack

More Details >

WP Database Backup – Unlimited Database & Files Backup by Backup for WP <= 7.3 – Unauthenticated Database Back-Up Exposure

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-12330

Patch Status
Patched

Published
Jan 8, 2025

Affected Software
WP Database Backup – Unlimited Database & Files Backup by Backup for WP

Researcher

Noah Stead (TurtleBurg)

More Details >

The Ultimate WordPress Toolkit – WP Extended <= 3.0.11 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

7.4

CVSS Rating
High (7.4)

CVE-ID
CVE-2024-11916

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
The Ultimate WordPress Toolkit – WP Extended

Researcher

Lucio Sá

More Details >

Custom Product Tabs for WooCommerce <= 1.8.5 – Authenticated (Shop Manager+) PHP Object Injection

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-11465

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Custom Product Tabs for WooCommerce

Researcher

Francesco Carlucci

More Details >

Inline Tweets <= 2.0 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-22570

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Inline Tweets

Researcher

SOPROBRO

More Details >

WC Price History for Omnibus <= 2.1.4 – Authenticated (Shop manager+) PHP Object Injection

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-22510

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
WC Price History

Researcher

Webula

More Details >

WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto <= 8.0.6 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-22295

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto

Researcher

Joshua Chan

More Details >

JoomSport <= 5.6.17 – Reflected Cross-Site Scripting via page

7.1

CVSS Rating
High (7.1)

CVE-ID
CVE-2024-12633

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
JoomSport – for Sports: Team & League, Football, Hockey & more

Researcher

Colin Xu

More Details >

AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K) <= 2.3 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-12473

Patch Status
Unpatched

Published
Jan 9, 2025

Affected Software
AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K)

Researcher

Peter Thaleikis

More Details >

Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler <= 1.7.0 – Unauthenticated Arbitrary Shortcode Execution and Reflected Cross-Site Scripting

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-12419

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler

Researcher

Arkadiusz Hydzik

More Details >

eDoc Easy Tables <= 1.29 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-22519

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
eDoc Easy Tables – Best WordPress Table Maker

Researcher

Colin Xu

More Details >

Google Maps Travel Route <= 1.3.1 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-22537

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Google Maps Travel Route

Researcher

João Pedro Soares de Alcântara

More Details >

Infility Global <= 2.9.8 – Authenticated (Subscriber+) Missing Authorization to Plugin Options Update

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-11496

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Infility Global

Researcher

Francesco Carlucci

More Details >

MDTF – Meta Data and Taxonomies Filter <= 1.3.3.5 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-12030

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
MDTF – Meta Data and Taxonomies Filter

Researcher

Thanh Nam Tran

More Details >

NC Wishlist for Woocommerce <= 1.0.1 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-22505

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
NC Wishlist for Woocommerce

Researcher

Le Ngoc Anh

More Details >

School Management System – WPSchoolPress <= 2.2.14 – Authenticated (Student/Parent+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-12332

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
School Management System – WPSchoolPress

Researcher

shaman0x01

More Details >

WP Travel – Ultimate Travel Booking System, Tour Management Engine <= 10.0.0 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-12067

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
WP Travel – Ultimate Travel Booking System, Tour Management Engine

Researcher

shaman0x01

More Details >

WPListCal <= 1.3.5 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-22535

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
WPListCal

Researcher

João Pedro Soares de Alcântara

More Details >

3DVieweronline <= 2.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12514

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
3DVieweronline

Researcher

zakaria

More Details >

Able Player <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22577

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Able Player for WordPress

Researcher

SOPROBRO

More Details >

Accordion Slider Lite <= 1.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11892

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
Accordion Slider Lite

Researcher

yudha

More Details >

AddFunc Mobile Detect <= 3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22550

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
AddFunc Mobile Detect

Researcher

SOPROBRO

More Details >

Advanced Product Information for WooCommerce <= 1.1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22803

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Advanced Product Information for WooCommerce

Researcher

0xd4rk5id3

More Details >

Alpha Price Table For Elementor <= 1.0.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22500

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Alpha Price Table For Elementor

Researcher

Gab

More Details >

App Embed <= 2.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11749

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
App Embed

Researcher

zakaria

More Details >

Arcade Ready <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22581

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Arcade Ready

Researcher

SOPROBRO

More Details >

Author Avatars List/Block <= 2.1.23 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22804

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Author Avatars List/Block

Researcher

SOPROBRO

More Details >

Biltorvet Dealer Tools <= 1.0.22 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22580

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Biltorvet Dealer Tools

Researcher

SOPROBRO

More Details >

Black Widgets For Elementor <= 1.3.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22806

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Black Widgets For Elementor

Researcher

João Pedro Soares de Alcântara

More Details >

Boot-Modal <= 1.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22551

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Boot-Modal

Researcher

SOPROBRO

More Details >

Bootstrap Blocks for WP Editor v2 <= 2.5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12495

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Bootstrap Blocks for WP Editor v2

Researcher

zaim

More Details >

BP Profile Shortcodes Extra <= 2.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22817

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
BP Profile Shortcodes Extra

Researcher

Peter Thaleikis

More Details >

Button Block <= 1.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22815

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Button Block – Get fully customizable & multi-functional buttons

Researcher

Khalid Yusuf

More Details >

Candifly <= 1.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12440

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Candifly

Researcher

zakaria

More Details >

CC Canadian Mortgage Calculator <= 2.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11383

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
CC Canadian Mortgage Calculator

Researcher

SOPROBRO

More Details >

Chat Support for Viber – Chat Bubble and Chat Button for Gutenberg, Elementor and Shortcode <= 1.7.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12457

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Chat Support for Viber – Chat Bubble and Chat Button for Gutenberg, Elementor and Shortcode

Researcher

Peter Thaleikis

More Details >

Chatroll Live Chat <= 2.5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12464

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Chatroll Live Chat

Researcher

Peter Thaleikis

More Details >

Common Ninja: Fully Customizable & Perfectly Responsive Free Widgets for WordPress Websites <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11382

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Common Ninja: Fully Customizable & Perfectly Responsive Free Widgets for WordPress Websites

Researcher

SOPROBRO

More Details >

Content Blocks Builder <= 2.7.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22810

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Content Blocks Builder – Create block, variation, repeater block with carousel, grid, accordion, popup, off-canvas layout

Researcher

Caesar Evan Santoso

More Details >

Conversational Forms for ChatBot <= 1.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22813

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
ChatBot Conversational Forms

Researcher

Peter Thaleikis

More Details >

Coupon Plugin <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12516

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Coupon Plugin

Researcher

SOPROBRO

More Details >

Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer <= 2.3.52 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11830

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer

Researcher

Nguyen Vuong Quoc

More Details >

Dominion – Domain Checker for WPBakery <= 2.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12520

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
Dominion – Domain Checker for WPBakery

Researcher

zaim

More Details >

Donation Block For PayPal <= 2.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22525

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Donation Block For PayPal

Researcher

zaim

More Details >

Easy Form Builder <= 3.8.8 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12112

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Easy Form Builder – WordPress plugin form builder: contact form, survey form, payment form, and custom form builder

Researcher

Noah Stead (TurtleBurg)

More Details >

Element Pack Lite – Addons for Elementor <= 5.10.14 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12851

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Researcher

zer0gh0st

More Details >

Email Templates Customizer for WordPress – Drag And Drop Email Templates Builder – YeeMail <= 2.1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22802

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Email Templates Customizer for WordPress – Drag And Drop Email Templates Builder – YeeMail

Researcher

SavPhill (Savphill)

More Details >

Files Download Delay <= 1.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12493

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
Files Download Delay

Researcher

zakaria

More Details >

formafzar <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22524

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
فرم ساز فرم افزار

Researcher

zaim

More Details >

Formaloo Form Maker & Customer Analytics for WordPress & WooCommerce <= 2.1.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via address Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11934

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Formaloo Form Maker & Customer Analytics for WordPress & WooCommerce

Researcher

Peter Thaleikis

More Details >

Free WooCommerce Theme 99fy Extension <= 1.2.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22801

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Free WooCommerce Theme 99fy Extension

Researcher

João Pedro Soares de Alcântara

More Details >

GatorMail SmartForms <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11386

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
GatorMail SmartForms

Researcher

SOPROBRO

More Details >

Genesis Style Shortcodes <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22823

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Genesis Style Shortcodes

Researcher

0xd4rk5id3

More Details >

Geo Content <= 6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11887

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Geo Content

Researcher

zaim

More Details >

Greenshift – animation and page builder blocks <= 9.0.0 – Missing Authorization to Authenticated (Subscriber+) Server-Side Request Forgery and Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-6155

Patch Status
Patched

Published
Jan 8, 2025

Affected Software
Greenshift – animation and page builder blocks

Researcher

Arkadiusz Hydzik

More Details >

Grid Accordion Lite <= 1.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11874

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
Grid Accordion Lite

Researcher

yudha

More Details >

Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.4.2 – Authenticated (contributor+) Stored Cross-Site Scripting via Button Link

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12304

Patch Status
Patched

Published
Jan 10, 2025

Affected Software
Gutenberg Blocks with AI by Kadence WP – Page Builder Features

Researcher

zer0gh0st

More Details >

Gutentor <= 3.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22293

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor

Researcher

João Pedro Soares de Alcântara

More Details >

Happy Addons for Elementor <= 3.15.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12852

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Happy Addons for Elementor

Researcher

zer0gh0st

More Details >

Hash Elements <= 1.4.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22296

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Hash Elements

Researcher

Khalid Yusuf

More Details >

Horoscope And Tarot <= 1.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11337

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Horoscope And Tarot

Researcher

SOPROBRO

More Details >

Huurkalender WP <= 1.5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22528

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Huurkalender WP

Researcher

zaim

More Details >

Icons Enricher <= 1.0.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22573

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Icons Enricher

Researcher

SOPROBRO

More Details >

ICS Button <= 0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22574

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
ICS Button

Researcher

SOPROBRO

More Details >

iframe to embed <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22545

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
iframe to embed

Researcher

SOPROBRO

More Details >

Image Magnify <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11445

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Image Magnify

Researcher

zakaria

More Details >

jQuery TwentyTwenty <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22546

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
jQuery TwentyTwenty

Researcher

SOPROBRO

More Details >

Justified Image Gallery <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22518

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Justified Image Gallery

Researcher(s): Unknown

More Details >

Legacy ePlayer <= 0.9.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22572

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Legacy ePlayer

Researcher

SOPROBRO

More Details >

Linear <= 2.7.12 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12496

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
Linear

Researcher

zaim

More Details >

List Pages at Depth <= 1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22517

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
List Pages at Depth

Researcher

SOPROBRO

More Details >

Live Flight Radar <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22824

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Live Flight Radar

Researcher

0xd4rk5id3

More Details >

Marketplace Items <= 1.5.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘marketplace’ Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12439

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Marketplace Items

Researcher

zakaria

More Details >

Marketplace Items <= 1.5.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12437

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Marketplace Items

Researcher

zaim

More Details >

MAS Elementor <= 1.1.7 – Authenticated (Author+) Stored Cross-Site Scripting via SVG

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12328

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
MAS Elementor

Researcher

Ryan Zegar

More Details >

Master Addons — Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.6.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Tooltip Module

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-9502

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations

Researcher

Robert DeVore

More Details >

mcjh button shortcode <= 1.6.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22558

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
mcjh button shortcode

Researcher

SOPROBRO

More Details >

Metadata SEO <= 2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22516

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Metadata SEO

Researcher

SOPROBRO

More Details >

Meteor Slides <= 1.5.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12073

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Meteor Slides

Researcher

Brian Sans-Souci (liardom)

More Details >

Mind Doodle Visual Sitemaps & Tasks <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22544

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Mind Doodle Visual Sitemaps & Tasks

Researcher

SOPROBRO

More Details >

MT Addons for Elementor <= 1.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22811

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
MT Addons for Elementor

Researcher

João Pedro Soares de Alcântara

More Details >

Muslim Prayer Time-Salah/Iqamah <= 1.8.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12515

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
Muslim Prayer Time-Salah/Iqamah

Researcher

SOPROBRO

More Details >

News Ticker Widget for Elementor <= 1.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22812

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
News Ticker Widget for Elementor

Researcher

João Pedro Soares de Alcântara

More Details >

Orbit Fox by ThemeIsle <= 2.10.43 – Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-0311

Patch Status
Patched

Published
Jan 9, 2025

Affected Software
Orbit Fox by ThemeIsle

Researcher

Webbernaut

More Details >

Orbit Fox by ThemeIsle <= 2.10.43 – Authenticated (Contributor+) Stored Cross-Site Scripting via title_tag Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-13183

Patch Status
Patched

Published
Jan 9, 2025

Affected Software
Orbit Fox by ThemeIsle

Researcher

Ankit Patel

More Details >

PDF Catalog Woocommerce <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22809

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
PDF Catalog Woocommerce

Researcher

theviper17y

More Details >

Perfect Portal Widgets <= 3.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12527

Patch Status
Patched

Published
Jan 10, 2025

Affected Software
Perfect Portal Widgets

Researcher

Peter Thaleikis

More Details >

PIXNET Plugin <= 2.9.10 – Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11338

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
PIXNET Plugin

Researcher

SOPROBRO

More Details >

Power Mag <= 1.1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22816

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Power Mag

Researcher

stealthcopter

More Details >

Qr Code and Barcode Scanner Reader <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22819

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Qr Code and Barcode Scanner Reader

Researcher

0xd4rk5id3

More Details >

Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress <= 3.10.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11826

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Quill Forms | The Best Typeform Alternative | Create Conversational Multi Step Form, Survey, Quiz, Cost Estimation or Donation Form on WordPress

Researcher

theviper17y

More Details >

Responsive Flickr Slideshow <= 2.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22807

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Responsive Flickr Slideshow

Researcher

0xd4rk5id3

More Details >

Responsive FlipBook Plugin WordPress <= 2.5.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11929

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
Responsive FlipBook Plugin WordPress

Researchers

Tieu Pham Trong Nhan

incognito

More Details >

RightMessage WP <= 0.9.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12445

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
RightMessage WP

Researcher

zaim

More Details >

S3Player – WooCommerce & Elementor Integration <= 4.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22818

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
S3Player – WooCommerce & Elementor Integration

Researcher

Khalid Yusuf

More Details >

Searchie <= 1.17.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12819

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
Searchie

Researcher

zakaria

More Details >

Sell Digital Downloads <= 2.2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22826

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Sell Digital Downloads

Researcher

SOPROBRO

More Details >

Sell Media <= 2.5.8.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11777

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Sell Media

Researcher

zaim

More Details >

Sellsy <= 2.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12592

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Sellsy

Researcher

SOPROBRO

More Details >

Service Box <= 1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12699

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Service Box

Researcher

SOPROBRO

More Details >

Show Google Analytics widget <= 1.5.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22515

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Show Google Analytics widget

Researcher

SOPROBRO

More Details >

Simple Photo Sphere <= 0.0.10 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22532

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Simple Photo Sphere

Researcher

SOPROBRO

More Details >

SimplyRETS Real Estate IDX <= 2.11.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12491

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
SimplyRETS Real Estate IDX

Researcher

SOPROBRO

More Details >

Sina Extension for Elementor <= 3.5.91 – Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Sina Image Differ

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12624

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)

Researcher

zer0gh0st

More Details >

Skill Bar <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22805

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Skill Bars

Researcher

0xd4rk5id3

More Details >

Skyword API Plugin <= 2.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11907

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
Skyword API Plugin

Researcher

theviper17y

More Details >

Slider Pro Lite <= 1.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11899

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Slider Pro Lite

Researcher

yudha

More Details >

Slides & Presentations <= 0.0.39 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22511

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Slides & Presentations

Researcher

Caesar Evan Santoso

More Details >

Slotti Ajanvaraus <= 1.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12521

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Slotti Ajanvaraus

Researcher

Peter Thaleikis

More Details >

Smart Custom Fields <= 5.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22308

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Smart Custom Fields

Researcher

Robert DeVore

More Details >

Social Rocket <= 1.3.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-9702

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Social Rocket – Social Sharing Plugin

Researcher

Peter Thaleikis

More Details >

Solar Wizard Lite <= 1.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11764

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Solar Wizard Lite

Researcher

SOPROBRO

More Details >

SpeakOut! Email Petitions <= 4.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22309

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
SpeakOut! Email Petitions

Researcher

LVT-tholv2k

More Details >

StorePress <= 1.0.12 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22821

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
StorePress

Researcher

stealthcopter

More Details >

Surbma | Premium WP <= 9.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22808

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Surbma | Premium WP

Researcher

SOPROBRO

More Details >

SweepWidget Contests, Giveaways, Photo Contests, Competitions <= 2.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11756

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
SweepWidget Contests, Giveaways, Photo Contests, Competitions

Researcher

SOPROBRO

More Details >

TCBD Auto Refresher <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12519

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
TCBD Auto Refresher

Researcher

zaim

More Details >

TemplatesNext ToolKit <= 3.2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22310

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
TemplatesNext ToolKit

Researcher

LVT-tholv2k

More Details >

Themesflat Addons For Elementor <= 2.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12205

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Themesflat Addons For Elementor

Researcher

Webbernaut

More Details >

Thim Elementor Kit <= 1.2.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22312

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Thim Elementor Kit

Researcher

Michael

More Details >

Timeline Pro <= 1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via [placeholder]

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22584

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Timeline Pro

Researcher

SOPROBRO

More Details >

Trackserver <= 5.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12505

Patch Status
Patched

Published
Jan 10, 2025

Affected Software
Trackserver

Researcher

yudha

More Details >

Twitter Bootstrap Collapse aka Accordian Shortcode <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12722

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
Twitter Bootstrap Collapse aka Accordian Shortcode

Researcher

Bob Matyas

More Details >

Typing Text <= 1.2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22315

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Typing Text

Researcher

SavPhill (Savphill)

More Details >

Ultimate Image Hover Effects <= 1.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22585

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Ultimate Image Hover Effects

Researcher

SOPROBRO

More Details >

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.135 – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-13153

Patch Status
Patched

Published
Jan 8, 2025

Affected Software
Unlimited Elements For Elementor

Researcher

Webbernaut

More Details >

Uptodown APK Download Widget <= 0.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12453

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Uptodown APK Download Widget

Researcher

zaim

More Details >

Urdu Formatter – Shamil <= 0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22531

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Urdu Formatter – Shamil

Researcher

SOPROBRO

More Details >

Video Embed Optimizer <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22554

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Video Embed Optimizer

Researcher

SOPROBRO

More Details >

VR Views <= 1.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22820

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
VR Views

Researcher

0xd4rk5id3

More Details >

WE Blocks <= 1.3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22529

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
WE Blocks – Image, Testimonial And Logo Slider Gutenberg Blocks

Researcher

zaim

More Details >

WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress <= 1.7.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12528

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress

Researcher

yudha

More Details >

wp custom countdown <= 2.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22822

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
wp custom countdown

Researcher

0xd4rk5id3

More Details >

WP FullCalendar <= 1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22261

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
WP FullCalendar

Researcher

LVT-tholv2k

More Details >

WP Github <= 1.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22549

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
WP Github

Researcher

SOPROBRO

More Details >

WP Joomag <= 2.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22827

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
WP Joomag

Researcher

SOPROBRO

More Details >

WP jQuery DataTable <= 4.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12499

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
WP jQuery DataTable

Researcher

yudha

More Details >

WP MediaTagger <= 4.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-13101

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
WP MediaTagger

Researcher

Bob Matyas

More Details >

WP SPID Italia <= 2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11758

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
WP SPID Italia

Researcher

SOPROBRO

More Details >

WP Youtube Gallery <= 1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12590

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
WP Youtube Gallery

Researcher

SOPROBRO

More Details >

WPBITS Addons For Elementor Page Builder <= 1.5.1 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22316

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
WPBITS Addons For Elementor Page Builder

Researcher

Michael

More Details >

YOGO Booking <= 1.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12462

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
YOGO Booking

Researcher

zaim

More Details >

Yumpu E-Paper publishing <= 3.0.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12621

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
Yumpu E-Paper publishing

Researcher

yudha

More Details >

아임포트 결제버튼 생성 플러그인 <= 1.1.19 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22530

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
아임포트 결제버튼 생성 플러그인

Researcher

SOPROBRO

More Details >

A5 Custom Login Page <= 2.8.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-13226

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
A5 Custom Login Page

Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Action Network <= 1.4.4 – Cross-Site Request Forgery to Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12394

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
Action Network

Researcher

vgo0

More Details >

Affiliate Disclosure Statement <= 0.3 – Cross-Site Request Forgery

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22552

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Affiliate Disclosure Statement

Researcher

SOPROBRO

More Details >

ARS Affiliate Page Plugin <= 2.0.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12098

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
ARS Affiliate Page Plugin

Researcher

Le Ngoc Anh

More Details >

Automate Hub Free by Sperse.IO <= 1.7.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11377

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Automate Hub Free by Sperse.IO

Researcher

vgo0

More Details >

Better User Shortcodes <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22594

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Better User Shortcodes

Researcher

João Pedro Soares de Alcântara

More Details >

Binary MLM Woocommerce <= 2.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12383

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Binary MLM Woocommerce

Researcher

Colin Xu

More Details >

Binary MLM Woocommerce <= 2.0 – Reflected Cross-Site Scripting via ‘page’

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12384

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Binary MLM Woocommerce

Researcher

vgo0

More Details >

Bizapp for WooCommerce <= 2.0.8 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11378

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Bizapp for WooCommerce

Researcher

vgo0

More Details >

Booking Calendar and Booking Calendar Pro <= Multiple Versions – Reflected Cross-Site Scripting via ‘calendar_id’

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12077

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Booking calendar, Appointment Booking System
Booking Calendar Pro WpDevArt

Researcher

vgo0

More Details >

CanvasFlow <= 1.5.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12275

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
Canvasflow for WordPress

Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Clasify Classified Listing <= 1.0.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12725

Patch Status
Unpatched

Published
Jan 9, 2025

Affected Software
Clasify Classified Listing

Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages <= 2.4.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11327

Patch Status
Patched

Published
Jan 10, 2025

Affected Software
ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages

Researcher

vgo0

More Details >

CLUEVO LMS, E-Learning Platform <= 1.13.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11328

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
CLUEVO LMS, E-Learning Platform

Researcher

vgo0

More Details >

Compare Products for WooCommerce <= 3.2.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12435

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Compare Products for WooCommerce

Researcher

vgo0

More Details >

Competition Form <= 2.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12749

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Competition Form

Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Custom DataBase Tables <= 2.1.34 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22539

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Custom DataBase Tables

Researcher

0xd4rk5id3

More Details >

Custom Field For WP Job Manager <= 1.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22294

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Custom Field For WP Job Manager

Researcher

Le Ngoc Anh

More Details >

Custom Field Manager <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12873

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Custom Field Manager

Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Deliver via Shipos for WooCommerce <= 2.1.7 – Reflected Cross-Site Scripting via dvsfw_bulk_label_url Parameter

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12222

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
Deliver via Shipos for WooCommerce

Researcher

vgo0

More Details >

Dental Optimizer Patient Generator App <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-13052

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Dental Optimizer Patient Generator App

Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Dyn Business Panel <= 1.0.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-13057

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Dyn Business Panel

Researcher

Bob Matyas

More Details >

Dyn Business Panel <= 1.0.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-13055

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Dyn Business Panel

Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Dyn Business Panel <= 1.0.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-13056

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Dyn Business Panel

Researcher

Bob Matyas

More Details >

ECT Home Page Products <= 1.9 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-13225

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
ECT Home Page Products

Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Enable Accessibility <= 1.4.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-9208

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Enable Accessibility

Researcher

vgo0

More Details >

Estatik Mortgage Calculator <= 2.0.11 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-9354

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Estatik Mortgage Calculator

Researcher

vgo0

More Details >

F4 Post Tree <= 1.1.18 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22499

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
F4 Post Tree

Researcher

Abdi Pranata

More Details >

Fantastic Elasticsearch <= 4.1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-13221

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
Fantastic ElasticSearch

Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Fast Tube <= 2.3.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-13218

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
Fast Tube

Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Featured Page Widget <= 2.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22569

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Featured Page Widget

Researcher

João Pedro Soares de Alcântara

More Details >

Financial Stocks & Crypto Market Data Plugin <= 1.10.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11690

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Financial Stocks & Crypto Market Data Plugin

Researcher

vgo0

More Details >

Food Store – Online Food Delivery & Pickup <= 1.5.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22314

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Food Store – Online Food Delivery & Pickup

Researcher

Dimas Maulana

More Details >

GDY Modular Content <= 0.9.91 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12153

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
GDY Modular Content

Researcher

Colin Xu

More Details >

Google Map Professional <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-13220

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
WordPress Google Map Professional (Map In Your Language)

Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Infility Global <= 2.9.8 – Reflected Cross-Site Scripting via set_type Parameter

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12290

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Infility Global

Researcher

vgo0

More Details >

Instabot <= 1.10 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22571

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Instabot: Chatbot to Increase Conversions on WordPress. Try for Free

Researcher

SOPROBRO

More Details >

JK Html To Pdf <= 1.0.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22547

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
JK Html To Pdf

Researcher

SOPROBRO

More Details >

KNR Author List Widget <= 3.1.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22514

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Axact Author List Widget

Researcher

João Pedro Soares de Alcântara

More Details >

Laika Pedigree Tree <= 1.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22593

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Laika Pedigree Tree

Researcher

SOPROBRO

More Details >

ldap_login_password_and_role_manager <= 1.0.12 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22548

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Plugin Name: ldap_login_password_and_role_manager

Researcher

SOPROBRO

More Details >

LucidLMS <= 1.0.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22498

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
LucidLMS

Researcher

Gab

More Details >

Mailing Group Listserv <= 2.0.9 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22595

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Mailing Group Listserv

Researcher

Le Ngoc Anh

More Details >

Multiple Themes by gavias <= Various Versions – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-43334

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Constix – Construction Factory & Industrial WordPress Theme
Aports – Single Property WordPress Theme
Boliin – Resort & Hotel Booking WordPress Theme
Conult – Consulting Business WordPress Themes
Fioxen – Directory Listing WordPress Theme
TheFude – Crowdfunding & Charity WordPress Theme
Gowilds – Travel & Tour Booking WordPress Theme
Halpes – Nonprofit Charity Drupal 10 Theme
Lestin – Directory Listing WordPress Theme
Modins – Insurance & Finance Drupal 11 Theme
and 9 more…

Researcher

akas wisnu aji

More Details >

News Publisher Autopilot <= 2.1.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22557

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
News Publisher Autopilot

Researcher

SOPROBRO

More Details >

Norse Rune Oracle Plugin <= 1.4.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22556

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Norse Rune Oracle Plugin

Researcher

SOPROBRO

More Details >

PayGreen Payment Gateway <= 1.0.26 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11810

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
PayGreen Payment Gateway

Researcher

vgo0

More Details >

Policy Genius <= 2.0.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-13219

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
Privacy Policy Genius

Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Post And Page Reactions <= 1.0.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22568

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Post And Page Reactions

Researcher

João Pedro Soares de Alcântara

More Details >

Pósturinn’s Shipping with WooCommerce <= 1.3.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11815

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Pósturinn’s Shipping with WooCommerce

Researcher

vgo0

More Details >

Prayer Times Anywhere <= 2.0.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22590

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Prayer Times Anywhere

Researcher

SOPROBRO

More Details >

Product Table for WooCommerce <= 3.5.6 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22307

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Product Table for WooCommerce by CodeAstrology (wooproducttable.com)

Researcher

Le Ngoc Anh

More Details >

Push Notification for Post and BuddyPress <= 2.06 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12407

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
Push Notification for Post and BuddyPress

Researcher

vgo0

More Details >

Quote Tweet <= 0.7 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22589

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Quote Tweet

Researcher

SOPROBRO

More Details >

Rental and Booking Manager for Bike, Car, Dress, Resort with WooCommerce Integration – WpRently | WordPress plugin <= 2.2.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12412

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
Rental and Booking Manager for Bike, Car, Dress, Resort with WooCommerce Integration – WpRently | WordPress plugin

Researcher

vgo0

More Details >

ResAds <= 2.0.6 – Reflected Cross-Site Scripting via Multiple Parameters

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12122

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
ResAds

Researcher

vgo0

More Details >

Same but Different – Related Posts by Taxonomy <= 1.0.16 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11363

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Same but Different – Related Posts by Taxonomy

Researcher

vgo0

More Details >

Scan External Links <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22583

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Scan External Links

Researcher

João Pedro Soares de Alcântara

More Details >

Scanventory <= 1.1.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22588

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Scanventory

Researcher

Le Ngoc Anh

More Details >

SEMA API <= 5.27 – Reflected Cross-Site Scripting via catid Parameter

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12285

Patch Status
Patched

Published
Jan 8, 2025

Affected Software
SEMA API

Researcher

vgo0

More Details >

SEO Keywords <= 1.1.3 – Reflected Cross-Site Scripting via google_error Parameter

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12126

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
SEO Keywords

Researcher

vgo0

More Details >

Shipping via Planzer for WooCommerce <= 1.0.25 – Reflected Cross-Site Scripting via processed-ids

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12337

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Shipping via Planzer for WooCommerce

Researcher

vgo0

More Details >

Simple add pages or posts <= 2.0.0 – Cross-Site Request Forgery to Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12288

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Simple add pages or posts

Researcher

vgo0

More Details >

Simple Video Management System <= 1.0.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12256

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Simple Video Management System

Researcher

vgo0

More Details >

SingSong <= 1.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22522

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
SingSong

Researcher

SOPROBRO

More Details >

Site PIN <= 1.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22576

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Site PIN

Researcher

João Pedro Soares de Alcântara

More Details >

SlideDeck 1 Lite Content Slider <= 1.4.8 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-13224

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
SlideDeck 1 Lite Content Slider

Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Smart Agenda <= 4.7 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22506

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Smart Agenda – Prise de rendez-vous en ligne

Researcher

Abdi Pranata

More Details >

SmartEmailing.cz <= 2.2.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12261

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
SmartEmailing.cz

Researcher

vgo0

More Details >

Smoothness Slider Shortcode <= v1.2.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22555

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Smoothness Slider Shortcode

Researcher

SOPROBRO

More Details >

Store credit / Gift cards for woocommerce <= 1.0.49.46 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11369

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Store credit / Gift cards for woocommerce

Researcher

vgo0

More Details >

Tabulate <= 2.10.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-13223

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
Tabulate

Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Tock Widget <= 1.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22520

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Tock Widget

Researcher

0xd4rk5id3

More Details >

Transporters.io <= 2.1.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12557

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Transporters.io

Researcher

SOPROBRO

More Details >

TRUSTist REVIEWer <= 2.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22567

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
TRUSTist REVIEWer

Researcher

João Pedro Soares de Alcântara

More Details >

TubePress.NET <= 4.0.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22559

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
TubePress.NET

Researcher

thiennv

More Details >

Unilevel MLM Plan <= 1.1.0 – Reflected Cross-Site Scripting via ‘page’

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12324

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Unilevel MLM Plan

Researcher

vgo0

More Details >

Uptime Robot <= 0.1.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22582

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Uptime Robot

Researcher

SOPROBRO

More Details >

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.12.9 – Unauthenticated Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12738

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Researcher

Brian Mungai

More Details >

ViewMedica 9 <= 1.4.15 – Cross-Site Request Forgery to Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12291

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
ViewMedica 9

Researcher

vgo0

More Details >

Virtual Bot <= 1.0.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22538

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Virtual Bot

Researcher

Caesar Evan Santoso

More Details >

WC1C <= 0.23.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11375

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
WC1C

Researcher

vgo0

More Details >

WhatsApp click to chat <= 3.0.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11686

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
WhatsApp click to chat

Researcher

vgo0

More Details >

Widgetize Pages Light <= 3.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22313

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Widgetize Pages Light

Researcher

Abdi Pranata

More Details >

Woo Ukrposhta <= 1.17.11 – Reflected Cross-Site Scripting via order, post, and idd Parameters

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12049

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Ukrposhta

Researcher

vgo0

More Details >

Woocommerce check pincode/zipcode for shipping <= 2.0.4 – Cross-Site Request Forgery to Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12218

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
Woocommerce check pincode/zipcode for shipping

Researcher

Colin Xu

More Details >

WooCommerce Digital Content Delivery (incl. DRM) – FlickRocket <= 4.74 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12438

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
WooCommerce Digital Content Delivery (incl. DRM) – FlickRocket

Researcher

vgo0

More Details >

WooCommerce HSS Extension for Streaming Video <= 3.31 – Reflected Cross-Site Scripting via videolink Parameter

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12214

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
WooCommerce HSS Extension for Streaming Video

Researcher

vgo0

More Details >

WordPress连接微博 <= 2.5.6 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12282

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
WordPress连接微博

Researcher

Bob Matyas

More Details >

WP – Bulk SMS – by SMS.to <= 1.0.12 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11434

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
WP – Bulk SMS – by SMS.to

Researcher

Colin Xu

More Details >

wp Hosting Performance Check <= 2.18.8 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22521

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
wp Hosting Performance Check

Researcher

João Pedro Soares de Alcântara

More Details >

WP MediaTagger <= 4.1.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-13112

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
WP MediaTagger

Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

WPEX Replace DB Urls <= 0.4.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22586

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
WPEX Replace DB Urls

Researcher

0xd4rk5id3

More Details >

Zephyr Admin Theme <= 1.4.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22814

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Zephyr Admin Theme

Researcher

Abdi Pranata

More Details >

WP Header Notification <= 1.2.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2025-22579

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
WP Header Notification

Researcher

Pham Van Tam

More Details >

Chative Live chat and Chatbot <= 1.1 – Cross-Site Request Forgery via add_chative_widget_action Function

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-12541

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Chative Live chat and Chatbot

Researcher

Peter Thaleikis

More Details >

Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups <= 1.3.5 – Missing Authorization

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-12204

Patch Status
Patched

Published
Jan 10, 2025

Affected Software
Coupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups

Researcher

Lucio Sá

More Details >

ViewMedica Embed <= 1.4.15 – Cross-Site Request Forgery to SQL Injection

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-12170

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
ViewMedica 9

Researcher

minhtuanact

More Details >

WP Triggers Lite <= 2.5.3 – Reflected Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-13094

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
WP Triggers Lite

Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

1003 Mortgage Application <= 1.87 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-22592

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
1003 Mortgage Application

Researcher

Mika

More Details >

AI for SEO <= 1.2.9 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-22299

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
AI for SEO – Bulk Generate Metadata, Alt Text, Image Titles, Captions, Descriptions

Researcher

Dhabaleshwar Das

More Details >

ClickDesigns <= 1.8.0 – Missing Authorization to API Key Modification or Removal

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12559

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
ClickDesigns

Researcher

Ryan Zegar

More Details >

CubeWP Forms – All-in-One Form Builder <= 1.1.5 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-51651

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
CubeWP Forms – All-in-One Form Builder

Researcher

hunter85

More Details >

Essential WP Real Estate <= 1.1.3 – Missing Authorization to Arbitrary Post/Page Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-13318

Patch Status
Unpatched

Published
Jan 9, 2025

Affected Software
Essential WP Real Estate

Researcher

Thanh Nam Tran

More Details >

Export Import Menus <= 1.9.1 – Missing Authorization to Unauthenticated Menu Export

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-10866

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Export Import Menus

Researcher

BrokenAC ignore

More Details >

Help Scout <= 6.5.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-22512

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Help Scout

Researcher

Abdi Pranata

More Details >

InfiniteWP Client <= 1.13.0 – Unauthenticated Limited Directory Traversal to Arbitrary .txt File Reading

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-10585

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
InfiniteWP Client

Researcher

villu164

More Details >

Jupiter X Core <= 4.8.5 – Missing Authorization to Unauthenticated Popup Template Export

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12316

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Jupiter X Core

Researcher

Tieu Pham Trong Nhan

More Details >

Link Whisper Free <= 0.7.7 – Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-22306

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Link Whisper Free

Researcher

Ananda Dhakal

More Details >

Member Access <= 1.1.6 – Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-11290

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Member Access

Researcher

Francesco Carlucci

More Details >

Optimize Your Campaigns – Google Shopping – Google Ads – Google Adwords <= 3.1 – Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12159

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Optimize Your Campaigns – Google Shopping – Google Ads – Google Adwords

Researcher

Joshua Chan

More Details >

Passster – Password Protect Pages and Content <= 4.2.10 – Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-11282

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Passster – Password Protect Pages and Content

Researcher

Francesco Carlucci

More Details >

Popup – MailChimp, GetResponse and ActiveCampaign Intergrations <= 3.2.6 – Missing Authorization to Unauthenticated DB Table Truncation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12158

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Popup – MailChimp, GetResponse and ActiveCampaign Intergrations

Researcher

Lucio Sá

More Details >

Post Duplicator <= 2.36 – Authenticated (Contributor+) Protected Post Disclosure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12472

Patch Status
Patched

Published
Jan 10, 2025

Affected Software
Post Duplicator

Researcher

Webbernaut

More Details >

RSVP and Event Management <= 2.7.13 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12711

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
RSVP and Event Management

Researcher

Lucio Sá

More Details >

Saoshyant Page Builder <= 3.8 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-22560

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Saoshyant Page Builder

Researcher

Mika

More Details >

Shopping Cart & eCommerce Store <= 5.7.8 – Missing Authorization to Order Updates

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12712

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Shopping Cart & eCommerce Store

Researcher

Lucio Sá

More Details >

Social Rocket – Social Sharing Plugin <= 1.3.4 – Missing Authorization to Settings Update

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-9697

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Social Rocket – Social Sharing Plugin

Researchers

Tieu Pham Trong Nhan

BrokenAC ignore

More Details >

Social Share Buttons for WordPress <= 2.7 – Missing Authorization to Unauthenticated Image Upload & Path Traversal

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-13117

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Social Share Buttons for WordPress

Researcher

Bob Matyas

More Details >

SureForms – Drag and Drop Form Builder for WordPress <= 1.2.2 – Missing Authorization to Unauthenticated Protected Post Disclosure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12713

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
SureForms – Drag and Drop Form Builder for WordPress

Researcher

Lucio Sá

More Details >

WordLift – AI powered SEO – Schema <= 3.54.0 – Missing Authorization to Authenticated (Subscriber+) Settings Update

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12176

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
WordLift – AI powered SEO – Schema

Researcher

Tieu Pham Trong Nhan

More Details >

WP Mailster <= 1.8.17.0 – Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-22303

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
WP Mailster

Researcher

Dhabaleshwar Das

More Details >

WP Wand <= 1.2.5 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-22302

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
WP Wand – AI Writer, AI Content Generator & AI Assistant by ChatGPT, OpenAI | Generate SEO Friendly AI Blog Post & Article with 20X Speed

Researcher

Dhabaleshwar Das

More Details >

Altra Side Menu <= 2.0 – Authenticated (Admin+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-12773

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Altra Side Menu

Researcher

Régis SENET

More Details >

Mailing Group Listserv <= 2.0.9 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-22527

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Mailing Group Listserv

Researcher

João Pedro Soares de Alcântara

More Details >

MindValley Super PageMash <= 1.1 – Authenticated (Editor+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-22502

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
MindValley Super PageMash

Researcher

Le Ngoc Anh

More Details >

Timeline Designer <= 1.4 – Authenticated (Admin+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-11437

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Timeline Designer

Researcher

Colin Xu

More Details >

WOOEXIM <= 5.0.0 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-22533

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
WOOEXIM – WooCommerce Export Import Plugin

Researcher

João Pedro Soares de Alcântara

More Details >

WP Music Player <= 1.3 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-22536

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
WP Music Player

Researcher

João Pedro Soares de Alcântara

More Details >

WP Triggers Lite <= 2.5.3 – Authenticated (Admin+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-13095

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
WP Triggers Lite

Researcher

Bob Matyas

More Details >

WPMU Prefill Post <= 1.02 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-22507

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
WPMU Prefill Post

Researcher

João Pedro Soares de Alcântara

More Details >

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 5.0.9 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-12045

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates

Researcher

zer0gh0st

More Details >

Social Share Buttons for WordPress <= 2.7 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-12807

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Social Share Buttons for WordPress

Researcher

Bob Matyas

More Details >

Toggles Shortcode and Widget <= 1.14 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-12207

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Toggles Shortcode and Widget

Researcher

Yamil

More Details >

WP Cookie <= 1.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-22578

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
WP Cookie

Researcher

Pham Van Tam

More Details >

1003 Mortgage Application <= 1.87 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-22591

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
1003 Mortgage Application

Researcher

Mika

More Details >

140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.6.2 – Authenticated (Contributor+) Post Disclosure via Post Duplication

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12584

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
140+ Widgets | Xpro Addons For Elementor – FREE

Researcher

Webbernaut

More Details >

AdForest – Classified Ads WordPress Theme <= 5.1.7 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Post/Attachment Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12855

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
AdForest

Researcher

Lucio Sá

More Details >

Admin debug wordpress – enable debug <= 1.0.13 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-22503

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Admin debug wordpress – enable debug

Researcher

Abdi Pranata

More Details >

AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K) <= 2.3 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12605

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K)

Researcher

Dhabaleshwar Das

More Details >

AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K) <= 2.3 – Missing Authorization to Authenticated (Subscriber+) Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12606

Patch Status
Unpatched

Published
Jan 9, 2025

Affected Software
AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K)

Researcher

Peter Thaleikis

More Details >

AI WP Writer <= 3.8.4.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-22297

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
AI WP Writer – automatic content creator, ChatGPT, GPT-4, Dalle 3, FLUX

Researcher

Dhabaleshwar Das

More Details >

Altra Side Menu <= 2.0 – Cross-Site Request Forgery to Arbitrary Menu Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12774

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Altra Side Menu

Researcher

Bob Matyas

More Details >

Aurum – WordPress & WooCommerce Shopping Theme <= 4.0.2 – Missing Authorization to Authenticated (Subscriber+) Demo Content Import

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12781

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Aurum – WordPress & WooCommerce Shopping Theme

Researcher

Lucio Sá

More Details >

Bitly’s WordPress Plugin <= 2.7.3 – Missing Authorization to Authenticated (Subscriber+) Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12616

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
Bitly’s WordPress Plugin

Researcher

Lucio Sá

More Details >

Bus Ticket Booking with Seat Reservation <= 5.4.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-49294

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Bus Ticket Booking with Seat Reservation – WpBusTicketly | WordPress plugin

Researcher

Sharanabasappa

More Details >

BWD Elementor Addons <= 4.3.18 – Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12532

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
BWD Elementor Addons (2500+ presets, Meet The Team, Lottie, Lord Icon, Masking, Woocommerce, Theme Builder, Products, Blogs, CV, Contact Form 7 Styler, Header, Slider, Hero Section)

Researcher

Ankit Patel

More Details >

Competition Form <= 2.0 – Cross-Site Request Forgery to Competition Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12750

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Competition Form

Researcher

Bob Matyas

More Details >

DirectoryPress <= 3.6.19 – Cross-Site Request Forgery to Cross-Site Scripting

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-49633

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
DirectoryPress – Business Directory And Classified Ad Listing

Researcher

Dimas Maulana

More Details >

Duplicate Post, Page and Any Custom Post <= 3.5.3 – Authenticated (Contributor+) Post Disclosure via Post Duplication

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12538

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Duplicate Post, Page and Any Custom Post

Researcher

Webbernaut

More Details >

Elementor AI Addons – 70 Widgets, Premium Templates, Ultimate Elements <= 2.2.1 – Authenticated (Contributor+) Private Templates Content Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12140

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Elementor Addons AI Addons – 70 Widgets, Premium Templates, Ultimate Elements

Researcher

Nishiv

More Details >

FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor <= 6.0.0 – Missing Authorization to Authenticated (Subscriber+) Shortcode Export

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-10536

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor

Researcher

Tieu Pham Trong Nhan

More Details >

GS Insever Portfolio <= 1.4.5 – Missing Authorization to Authenticated (Subscriber+) CSS Injection

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12249

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
GS Insever Portfolio

Researcher

Peter Thaleikis

More Details >

Hive Support – WordPress Help Desk <= 1.1.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-22298

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress

Researcher

Dhabaleshwar Das

More Details >

Jupiter X Core <= 4.8.5 – Missing Authorization to Authenticated Library Sync

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12033

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
Jupiter X Core

Researcher

Tieu Pham Trong Nhan

More Details >

LazyLoad Background Images <= 1.0.7 – Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12327

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
LazyLoad Background Images

Researcher

Mika

More Details >

MIMO Woocommerce Order Tracking <= 1.0.2 – Missing Authorization to Limited Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-5769

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
MIMO Woocommerce Order Tracking

Researcher

Lucio Sá

More Details >

MyBookTable Bookstore <= 3.5.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-22301

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
MyBookTable Bookstore by Stormhill Media

Researcher(s): Unknown

More Details >

Newsletter2Go <= 4.0.14 – Missing Authorization to Authenticated (Subscriber+) Style Reset

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12618

Patch Status
Unpatched

Published
Jan 8, 2025

Affected Software
Newsletter2Go

Researcher

Lucio Sá

More Details >

PixelYourSite – Your smart PIXEL (TAG) Manager <= 10.0.1.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-22300

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
PixelYourSite – Your smart PIXEL (TAG) & API Manager

Researcher

Dhabaleshwar Das

More Details >

Post SMTP <= 2.9.11 – Missing Authorization via regenerate_qrcode()

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-22800

Patch Status
Patched

Published
Jan 7, 2025

Affected Software
Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Researcher

Rafie Muhammad

More Details >

Pretty Url <= 1.5.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-22563

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Pretty Url

Researcher

thiennv

More Details >

RRAddons for Elementor <= 1.1.0 – Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-11915

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
RRAddons for Elementor

Researcher

Ankit Patel

More Details >

Slides & Presentations <= 0.0.39 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-22534

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Slides & Presentations

Researcher

Caesar Evan Santoso

More Details >

ST Gallery WP <= 1.0.8 – Missing Authorization to Authenticated (Subscriber+) Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-22543

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
ST Gallery WP

Researcher

Mika

More Details >

Title Experiments Free <= 9.0.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-22562

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Title Experiments Free

Researcher

Mika

More Details >

Title Experiments Free <= 9.0.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-22561

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
Title Experiments Free

Researcher

Mika

More Details >

Unlimited Theme Addon For Elementor and WooCommerce <= 1.2.1 – Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12116

Patch Status
Unpatched

Published
Jan 10, 2025

Affected Software
Unlimited Theme Addon For Elementor and WooCommerce

Researcher

Francesco Carlucci

More Details >

WordPress File Upload <= 4.24.15 – Missing Authorization to Authenticated (Subscriber+) Limited Path Traversal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12719

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
WordPress File Upload

Researcher

Lucio Sá

More Details >

WordPress Header Builder Plugin <= 1.3.8 – Cross-Site Request Forgery to Header Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12206

Patch Status
Patched

Published
Jan 8, 2025

Affected Software
WordPress Header Builder Plugin – Pearl

Researcher

Noah Stead (TurtleBurg)

More Details >

WP Delete Post Copies <= 5.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-22541

Patch Status
Unpatched

Published
Jan 7, 2025

Affected Software
WP Delete Post Copies

Researcher

Mika

More Details >

WP Job Portal – A Complete Recruitment System for Company or Job Board website <= 2.2.5- Authenticated (Subscriber+) Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12131

Patch Status
Patched

Published
Jan 6, 2025

Affected Software
WP Job Portal – A Complete Recruitment System for Company or Job Board website

Researcher

Apostolos Sakellariou

More Details >

WP Visitor Statistics (Real Time Traffic) <= 7.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-22304

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
WP Visitor Statistics (Real Time Traffic)

Researcher

Dhabaleshwar Das

More Details >

Spacer <= 3.0.7 – Missing Authorization to Authenticated (Subscriber+) Limited Information Disclosure

3.1

CVSS Rating
Low (3.1)

CVE-ID
CVE-2024-10527

Patch Status
Unpatched

Published
Jan 6, 2025

Affected Software
Spacer

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >