AI-Powered CVE Analysis for WordPress Plugins

The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish…

The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configurations, that may include sensitive data, such as email addresses, PayPal…

The Ajax Load More – Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. This makes it possible for unauthenticated attackers to expose the titles and excerpts of private, draft, pending,…

The The Grid plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to 2.8.0 (exclusive). This makes it possible for unauthenticated attackers to perform an unauthorized action.

The ID Arrays plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such…

The Booked - Appointment Booking for WordPress plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Custom-level access and above, to bypass authentication and access other user's accounts.

The Shiprocket plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.8 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

The Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

The Easy Hotel Booking plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.8.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

The Nelio Popups plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.3.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.