AI-Powered CVE Analysis for WordPress Plugins

The Gyan Elements plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.2.1. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to…

The Conditional CAPTCHA plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 4.0.0. This is due to insufficient validation on the redirect url supplied via a parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing…

The WP Sync for Notion – Notion to WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.7.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.

The Mizan Demo Importer plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 0.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

The WP Wand – Unlimited Content Generation using AI – for OpenAI, Claude, Openrouter and Deepseek plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.3.07. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an…

The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute…

The Serious Slider plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operator and lack of sufficient preparation on the existing…

The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information including customer names, phones and emails.

The Visual Feedback, Review & AI Collaboration Tool For WordPress – Atarim plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.