AI-Powered CVE Analysis for WordPress Plugins

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpgmza_custom_js’ parameter in all versions up to, and including, 10.0.05 due to insufficient input sanitization and output escaping and missing capability check in the 'admin_post_wpgmza_save_settings' hook anonymous function. This makes it possible for authenticated attackers, with…

The Writeprint Stylometry plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'p' GET parameter in all versions up to and including 0.1. This is due to insufficient input sanitization and output escaping in the bjl_wprintstylo_comments_nav() function. The function directly outputs the $_GET['p'] parameter into an HTML href attribute without any escaping. This…

The Subscriptions for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wps_sfw_admin_cancel_susbcription()` function in all versions up to, and including, 1.9.2. This is due to the function being hooked to the `init` action without any authentication or authorization checks, and only performing a non-empty…

The Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘event_type’ parameter in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers…

The Automated FedEx live/manual rates with shipping labels – HPOS supported plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to perform an unauthorized action.

The Listeo-Core - Directory Plugin by Purethemes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.0.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into…

The Remoji – Post/Comment Reaction and Enhancement plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The CP Multi View Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user…

The Product Slider, Product Grid, Product Masonry plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.13.60. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

The UpSolution Core plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 8.41 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such…

The Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to 7.11.3 (exclusive). This makes it possible for unauthenticated attackers to perform an unauthorized action.

The Ave Core plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.10.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

The avalex – Automatisch sichere Rechtstexte plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.1.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.8.0 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain…

The XStore Core plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.6.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such…

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the get_main_query_args() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract contents of non-public custom…

The StoreCustomizer – A plugin to Customize all WooCommerce Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

The Flexmls® IDX Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.15.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action…