AI-Powered CVE Analysis for WordPress Plugins

The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file.

The WP Hello Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'digit_one' and 'digit_two' parameters in all versions up to, and including, 1.02 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that…

The AJAX Hits Counter + Popular Posts Widget plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 0.10.210305. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

The Visual Link Preview plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.

The Smart Product Viewer plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

The Hyyan WooCommerce Polylang Integration plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.11.63. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings.

The Houzez Theme - Functionality plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses…

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.19.17. This makes it possible for unauthenticated attackers to perform an unauthorized action.

The Cargus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.5.8. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.