• New Page 1

    RSSFacebookInstagramTwitterYouTubeYouTubeYouTubeYouTubeYouTubeYouTubeYouTube  

    AGÊNCIA JF | Social - Repositório

Wordfence Intelligence Weekly WordPress Vulnerability Report (March 3, 2025 to March 9, 2025)

por | |

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

Last week, there were 124 vulnerabilities disclosed in 92 WordPress Plugins and 12 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 51 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 24,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

  • WAF-RULE-812 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 85
Unpatched 39

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Medium Severity 83
High Severity 31
Critical Severity 10

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 34
Missing Authorization 23
Cross-Site Request Forgery (CSRF) 13
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 13
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 5
Authentication Bypass Using an Alternate Path or Channel 4
Deserialization of Untrusted Data 4
Exposure of Sensitive Information to an Unauthorized Actor 4
Improper Privilege Management 4
Unrestricted Upload of File with Dangerous Type 4
Improper Control of Generation of Code (‘Code Injection’) 3
Server-Side Request Forgery (SSRF) 3
Improper Authentication 2
Improper Authorization 2
Improper Input Validation 2
Authorization Bypass Through User-Controlled Key 1
External Control of File Name or Path 1
Improper Access Control 1
SQL Injection: Hibernate 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities

Lucio Sá

20

Tonn

10

Krzysztof Zając

9

Peter Thaleikis

7

Tim Coen

6

Francesco Carlucci

6

Webbernaut

4

shaman0x01

3

wesley (wcraft)

2

István Márton

2

yudha

2

mikemyers

2

Stiofan

2

vgo0

2

zaim

2

Aly Khaled

2

zer0gh0st

2

Brian Sans-Souci (liardom)

2

Trương Hữu Phúc (truonghuuphuc)

2

Hoang Phuc Vo (HrxKnight)

2

stealthcopter

2

Nishiv

2

Abbas Mamoun

1

Nhien Pham (nhienit)

1

Duc Manh

1

Muhamad Visat

1

SOPROBRO

1

Gibran Abdillah

1

Phan Trong Quan

1

Brian Mungai

1

Ankit Patel

1

Keyvan Hardani

1

Noah Stead (TurtleBurg)

1

Kubow

1

Dogus Demirkiran

1

Webula

1

Rafie Muhammad

1

Nguyen Xuan Chien

1

omstaendlig

1

Filippo Decortes

1

Foxyyy

1

dream hard

1

Pierre Rudloff

1

Khang Duong

1

lucky_buddy

1

Chloe Chamberland

1

Abdi Pranata

1

zakaria

1

Pham Van Tam

1

Bob Matyas

1

Luciano Hanna

1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
140+ Widgets | Xpro Addons For Elementor – FREE xpro-elementor-addons
Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin file-manager-advanced
Aiomatic – Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit aiomatic-automatic-ai-content-writer
All-in-One Addons for Elementor – WidgetKit widgetkit-for-elementor
Allow PHP Execute allow-php-execute
Animation Addons for Elementor Pro animation-addons-for-elementor-pro
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin simply-schedule-appointments
bbPress bbpress
Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors publishpress-authors
Code Snippets CPT code-snippets-cpt
Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More content-control
Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics cookiebot
CS Framework cs-framework
CURCY – WooCommerce Multi Currency – Currency Switcher woocommerce-multi-currency
DesignThemes Core Features designthemes-core-features
Downloable by American Osteopathic Association aoa-downloadable
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates essential-blocks
Eventer – WordPress Event & Booking Manager Plugin eventer
EventPrime – Events Calendar, Bookings and Tickets eventprime-event-calendar-management
Flexmls® IDX Plugin flexmls-idx
FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel foogallery
Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress gallery-plugin
Gallery Styles gallery-styles
GiveWP – Donation Plugin and Fundraising Platform give
Greek Multi Tool – Ultimate Greek Language Toolkit for WordPress greek-multi-tool
Hero Maps Premium hmapsprem
Hero Mega Menu – Responsive WordPress Menu Plugin hmenu
Hero Slider – WordPress Slider Plugin hslide
Homey Login Register homey-login-register
HT Mega – Absolute Addons For Elementor ht-mega-for-elementor
I Am Gloria gloria-assistant-by-webtronic-labs
InWave Jobs iwjob
IP Based Login ip-based-login
Javo Core javo-core
m1.DownloadList m1downloadlist
Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations master-addons
Master Slider – Responsive Touch Slider master-slider
miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon miniorange-login-openid
Moving Media Library moving-media-library
Multiple Shipping And Billing Address For Woocommerce different-shipping-and-billing-address-for-woocommerce
Notibar – Notification Bar for WordPress notibar
Page Builder: Pagelayer – Drag and Drop website builder pagelayer
Platform.ly for WooCommerce platformly-for-woocommerce
Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress
Point Maker point-maker
Post Lockdown post-lockdown
Post Meta Data Manager post-meta-data-manager
Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more post-smtp
Print Invoice & Delivery Notes for WooCommerce woocommerce-delivery-notes
Product Input Fields for WooCommerce product-input-fields-for-woocommerce
Razorpay Subscription Button Elementor Plugin razorpay-subscription-button-elementor
Recently Purchased Products For Woo recently-purchased-products-for-woo
Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins related-post
Responsive Lightbox & Gallery responsive-lightbox
School Management System for WordPress school-management
SearchIQ – The Search Solution searchiq
SEO Plugin by Squirrly SEO squirrly-seo
Shortcode Cleaner Lite shortcode-cleaner-lite
Simple Notification simple-notification
SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) slingblocks
SMTP by BestWebSoft bws-smtp
Solace Extra solace-extra
Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table. wpgsi
Staff Directory Plugin: Company Directory staff-directory-pro
Structured Content (JSON-LD) #wpsc structured-content
SupportCandy – Helpdesk & Customer Support Ticket System supportcandy
teachPress teachpress
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce the-plus-addons-for-elementor-page-builder
UiPress lite | Effortless custom dashboards, admin themes and pages uipress-lite
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin ultimate-member
Ultimate Video Player WordPress & WooCommerce Plugin fwduvp
Ultimate WordPress Auction Plugin ultimate-auction
VikRentCar Car Rental Management System vikrentcar
VK Blocks vk-blocks
Wallet System for WooCommerce wallet-system-for-woocommerce
Wishlist wishlist
Wishlist for WooCommerce: Multi Wishlists Per Customer wish-list-for-woocommerce
WooCommerce Recover Abandoned Cart rac
WooMail – WooCommerce Email Customizer email-customizer-for-woocommerce-with-drag-drop-builder
WordPress abandoned cart recovery and email marketing for WooCommerce by Recapture recapture-for-woocommerce
WordPress Awesome Import & Export Plugin – Import & Export WordPress Data wp-awesome-import-export
WP Featherlight – A Simple jQuery Lightbox wp-featherlight
WP Online Contract onlinecontract
WP Real Estate Manager wp-realestate-manager
WP Shortcodes Plugin — Shortcodes Ultimate shortcodes-ultimate
Wp Svg Upload wp-svg-upload
WP-Recall – Registration, Profile, Commerce & More wp-recall
WPCOM Member wpcom-member
WPGet API – Connect to any external REST API wpgetapi
Years Since – Timeless Texts years-since
Zigaform – Form Builder Lite zigaform-form-builder-lite
ZoomSounds – WordPress Wave Audio Player with Playlist dzs-zoomsounds

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Design Comuni Italia design-comuni-wordpress-theme
Flex Mag – Responsive WordPress News Theme flex-mag
Golo – City Travel Guide WordPress Theme golo
Homey homey
JNews – WordPress Newspaper Magazine Blog AMP Theme jnews
Lafka – Multi Store Burger – Pizza & Food Delivery WooCommerce Theme lafka
Listingo listingo
Newscrunch newscrunch
Sparkling sparkling
VEDA – MultiPurpose WordPress Theme veda
VW Storefront vw-storefront
Zass – WooCommerce Theme for Handmade Artists and Artisans zass

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

GiveWP – Donation Plugin and Fundraising Platform <= 3.19.4 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-0912
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
GiveWP – Donation Plugin and Fundraising Platform
Researcher

dream hard

More Details >

Golo – Directory & Listing, Travel WordPress Theme <= 1.6.10 – Missing Authorization to Privilege Escalation via Unauthenticated Arbitrary User Password Change

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-12876
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
Golo – City Travel Guide WordPress Theme
Researcher

Lucio Sá

More Details >

Homey <= 2.4.2 – Unauthenticated Privilege Escalation in homey_save_profile

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-12281
Patch Status
Patched
Published
Mar 4, 2025

Affected Software
Homey
Researcher

Tonn

More Details >

Homey Login Register <= 2.4.0 – Unauthenticated Privilege Escalation in homey_register

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-11951
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
Homey Login Register
Researcher

Tonn

More Details >

InWave Jobs <= 3.5.1 – Unauthenticated Privilege Escalation via Password Reset

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-1315
Patch Status
Unpatched
Published
Mar 6, 2025

Affected Software
InWave Jobs
Researcher

Tonn

More Details >

Javo Core <= 3.0.0.080 – Unauthenticated Privilege Escalation in ajax_signup

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-0177
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
Javo Core
Researcher

Tonn

More Details >

Newscrunch <= 1.8.4 – Authenticated (Subscriber+) Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-1307
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
Newscrunch
Researcher

Chloe Chamberland

More Details >

VEDA – MultiPurpose WordPress Theme <= 4.2 – Authenticated (Subscriber+) PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-13787
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
VEDA – MultiPurpose WordPress Theme
Researcher

Lucio Sá

More Details >

WP Real Estate Manager <= 2.8 – Authentication Bypass via Account Takeover

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-1515
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
WP Real Estate Manager
Researcher

Foxyyy

More Details >

WPCOM Member <= 1.7.5 – Authentication Bypass via ‘user_phone’

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-1475
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
WPCOM Member
Researcher

wesley (wcraft)

More Details >

Aiomatic – AI Content Writer, Editor, ChatBot & AI Toolkit <= 2.3.8 – Missing Authorization to Authenticated (Contributor+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-13882
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
Aiomatic – Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit
Researcher

Lucio Sá

More Details >

Animation Addons for Elementor Pro <= 1.6 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-1639
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
Animation Addons for Elementor Pro
Researcher

Tonn

More Details >

CS Framework <= 7.0 – Authenticated (Subscriber+) Arbitrary File Deletion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-12035
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
CS Framework
Researcher

Tonn

More Details >

Eventer – WordPress Event & Booking Manager Plugin <= 3.9.9.2 – Authenticated (Subscriber+) SQL Injection via reg_id

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-0959
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
Eventer – WordPress Event & Booking Manager Plugin
Researcher

Lucio Sá

More Details >

Newscrunch <= 1.8.4 – Cross-Site Request Forgery to Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-1306
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
Newscrunch
Researcher

Gibran Abdillah

More Details >

School Management System for WordPress <= 93.0.0 – Authenticated (Student+) Account Takeover and Privilege Escalation

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-9658
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
School Management System for WordPress
Researcher

Tonn

More Details >

Solace Extra <= 1.3.0 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
Unknown
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
Solace Extra
Researcher(s): Unknown

More Details >

UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.04 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-1309
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
UiPress lite | Effortless custom dashboards, admin themes and pages
Researcher

vgo0

More Details >

VikRentCar Car Rental Management System <= 1.4.2 – Cross-Site Request Forgery to Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-11640
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
VikRentCar Car Rental Management System
Researcher

Noah Stead (TurtleBurg)

More Details >

WordPress Awesome Import & Export Plugin – Import & Export WordPress Data <= 4.1.1 – Missing Authorization to Authenticated (Subscriber+) Arbitrary SQL Execution/Privilege Escalation

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-13232
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
WordPress Awesome Import & Export Plugin – Import & Export WordPress Data
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Flex Mag – Responsive WordPress News Theme <= 3.5.2 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Deletion

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2024-13655
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
Flex Mag – Responsive WordPress News Theme
Researcher

Lucio Sá

More Details >

Homey <= 2.4.3 – Limited Authentication Bypass due to Missing Empty Value Check

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2025-0749
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
Homey
Researcher

István Márton

More Details >

miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon <= 200.3.9 – Authentication Bypass

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2024-11087
Patch Status
Unpatched
Published
Mar 7, 2025

Affected Software
miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon
Researcher

wesley (wcraft)

More Details >

Product Input Fields for WooCommerce <= 1.12.0 – Unauthenticated Limited File Upload

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2024-13359
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
Product Input Fields for WooCommerce
Researcher

lucky_buddy

More Details >

WooCommerce Recover Abandoned Cart <= 24.3.0 – Unauthenticated PHP Object Injection

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2025-0956
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
WooCommerce Recover Abandoned Cart
Researcher

Lucio Sá

More Details >

ZoomSounds – WordPress Wave Audio Player with Playlist <= 6.91 – Unauthenticated PHP Object Injection

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2024-13777
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
ZoomSounds – WordPress Wave Audio Player with Playlist
Researcher

Lucio Sá

More Details >

CS Framework <= 7.1 – Authenticated (Subscriber+) Arbitrary File Read

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-12036
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
CS Framework
Researcher

Tonn

More Details >

CURCY – WooCommerce Multi Currency – Currency Switcher <= 2.3.6 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13320
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
CURCY – WooCommerce Multi Currency – Currency Switcher
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

DesignThemes Core Features <= 4.7 – Missing Authorization to Unauthenticated Arbitrary File Read via dt_process_imported_file

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13471
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
DesignThemes Core Features
Researcher

Tonn

More Details >

Downloable by American Osteopathic Association <= 0.1.0 – Unauthenticated Arbitrary File Download

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13617
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
Downloable by American Osteopathic Association
Researcher

Aly Khaled

More Details >

Multiple Shipping And Billing Address For Woocommerce <= 1.3 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-26875
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
Multiple Shipping And Billing Address For Woocommerce
Researcher

Phan Trong Quan

More Details >

Ultimate Member <= 2.10.0 – Unauthenticated SQL Injection via search Parameter

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-1702
Patch Status
Patched
Published
Mar 4, 2025

Affected Software
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Researcher

mikemyers

More Details >

Ultimate Video Player <= 10.0 – Unauthenticated Arbitrary File Download

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-10804
Patch Status
Unpatched
Published
Mar 6, 2025

Affected Software
Ultimate Video Player WordPress & WooCommerce Plugin
Researcher

Tonn

More Details >

WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-1323
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
WP-Recall – Registration, Profile, Commerce & More
Researcher

Krzysztof Zając

More Details >

Allow PHP Execute <= 1.0 – Authenticated (Editor+) PHP Code Injection

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13890
Patch Status
Unpatched
Published
Mar 7, 2025

Affected Software
Allow PHP Execute
Researcher

Francesco Carlucci

More Details >

Design Comuni Italia <= 1.1.1 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-1798
Patch Status
Patched
Published
Mar 4, 2025

Affected Software
Design Comuni Italia
Researcher

Filippo Decortes

More Details >

Downloable by American Osteopathic Association <= 0.1.0 – Unauthenticated Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13618
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
Downloable by American Osteopathic Association
Researcher

Aly Khaled

More Details >

Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress <= 4.7.3 – Authenticated (Administrator+) PHP Object Injection

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13906
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress
Researcher

Hoang Phuc Vo (HrxKnight)

More Details >

Greek Multi Tool <= 2.3.1 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)
CVE-ID
Unknown
Patch Status
Patched
Published
Mar 5, 2025

Affected Software
Greek Multi Tool – Ultimate Greek Language Toolkit for WordPress
Researcher(s): Unknown

More Details >

Post Meta Data Manager <= 1.4.3 – Authentciated (Admin+) Multisite Privilege Escalation

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13835
Patch Status
Unpatched
Published
Mar 7, 2025

Affected Software
Post Meta Data Manager
Researcher

Francesco Carlucci

More Details >

SMTP by BestWebSoft <= 1.1.9 – Authenticated (Administrator+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13908
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
SMTP by BestWebSoft
Researcher

Hoang Phuc Vo (HrxKnight)

More Details >

Hero Maps Premium – Customizable Google Maps Plugin <= 2.3.9 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13781
Patch Status
Unpatched
Published
Mar 6, 2025

Affected Software
Hero Maps Premium
Researcher

Lucio Sá

More Details >

Hero Mega Menu – Responsive WordPress Menu Plugin <= 1.16.5 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13778
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
Hero Mega Menu – Responsive WordPress Menu Plugin
Researcher

Lucio Sá

More Details >

Hero Mega Menu – Responsive WordPress Menu Plugin <= 1.16.5 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Directory Deletion

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13780
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
Hero Mega Menu – Responsive WordPress Menu Plugin
Researcher

Lucio Sá

More Details >

Hero Slider – WordPress Slider Plugin <= 1.3.5 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13809
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
Hero Slider – WordPress Slider Plugin
Researcher

Lucio Sá

More Details >

Listingo – Business Listing and Directory WordPress Theme <= 3.2.7 – Unauthenticated Arbitrary Shortcode Execution

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13815
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
Listingo
Researcher

Lucio Sá

More Details >

Moving Media Library <= 1.22 – Authenticated (Administrator+) Directory Traversal to Arbitrary File Deletion

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13897
Patch Status
Patched
Published
Mar 5, 2025

Affected Software
Moving Media Library
Researcher

omstaendlig

More Details >

School Management System for WordPress <= 92.0.0 – Authenticated (Student+) SQL Injection via ‘view-attendance’

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-12609
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
School Management System for WordPress
Researcher

shaman0x01

More Details >

School Management System for WordPress <= 92.0.0 – Authenticated (Subscriber+) SQL Injection via ‘mj_smgt_show_event_task’

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-12607
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
School Management System for WordPress
Researcher

shaman0x01

More Details >

SEO Plugin by Squirrly SEO <= 12.4.05 – Authenticated (Subscriber+) SQL Injection via search Parameter

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-1768
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
SEO Plugin by Squirrly SEO
Researcher

Muhamad Visat

More Details >

Shortcode Cleaner Lite <= 1.0.9 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Export

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-1481
Patch Status
Unpatched
Published
Mar 7, 2025

Affected Software
Shortcode Cleaner Lite
Researcher

Krzysztof Zając

More Details >

teachPress <= 9.0.7 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-1321
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
teachPress
Researcher

Krzysztof Zając

More Details >

WP Online Contract <= 5.1.4 – Missing Authorization to Unauthenticated Settings Import

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-0954
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
WP Online Contract
Researcher

Lucio Sá

More Details >

140+ Widgets | Xpro Addons For Elementor – FREE <= 1.4.6.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13649
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
140+ Widgets | Xpro Addons For Elementor – FREE
Researcher

zer0gh0st

More Details >

Advanced File Manager <= 5.2.14 – Authenticated (Subscriber+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13805
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin
Researcher

Duc Manh

More Details >

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 5.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1664
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates
Researcher

Webbernaut

More Details >

Flexmls® IDX <= 3.14.27 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-0863
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
Flexmls® IDX Plugin
Researcher

yudha

More Details >

FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel <= 2.4.29 – Authenticated (Custom+) Stored Cross-Site Scripting via Album Title Size

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12119
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Researcher

Stiofan

More Details >

Gallery Styles <= 1.3.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1783
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
Gallery Styles
Researcher

Peter Thaleikis

More Details >

HT Mega – Absolute Addons For Elementor <= 2.8.2 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Countdown Widget

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1261
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
HT Mega – Absolute Addons For Elementor
Researcher

Webbernaut

More Details >

m1.DownloadList <= 0.19 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-26895
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
m1.DownloadList
Researcher

yudha

More Details >

Master Addons <= 2.0.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-0433
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
Researcher

stealthcopter

More Details >

Master Addons <= 2.0.7.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9618
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
Researcher

Webbernaut

More Details >

Master Slider – Responsive Touch Slider <= 3.10.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via ms_layer Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13757
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
Master Slider – Responsive Touch Slider
Researcher

Krzysztof Zając

More Details >

Master Slider – Responsive Touch Slider <= 3.10.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via ms_slider Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11731
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
Master Slider – Responsive Touch Slider
Researcher

Peter Thaleikis

More Details >

Multiple Plugins <= (Various Versions) – Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Featherlight.js JavaScript Library

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-5667
Patch Status
Patched
Published
Mar 4, 2025

Affected Software
WP Featherlight – A Simple jQuery Lightbox
Responsive Lightbox & Gallery
Researcher

Webbernaut

More Details >

Point Maker <= 0.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12815
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
Point Maker
Researcher

zakaria

More Details >

Recently Purchased Products For Woo <= 1.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via view Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1008
Patch Status
Patched
Published
Mar 4, 2025

Affected Software
Recently Purchased Products For Woo
Researcher

Peter Thaleikis

More Details >

SearchIQ – The Search Solution <= 4.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13350
Patch Status
Patched
Published
Mar 4, 2025

Affected Software
SearchIQ – The Search Solution
Researcher

zaim

More Details >

Simple Notification <= 1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13866
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
Simple Notification
Researcher

Pham Van Tam

More Details >

SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) <= 1.5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13675
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels)
Researcher

Nishiv

More Details >

Structured Content (JSON-LD) #wpsc <= 1.6.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via sc_fs_local_business Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-0512
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
Structured Content (JSON-LD) #wpsc
Researcher

shaman0x01

More Details >

The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1287
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Researcher

zer0gh0st

More Details >

Wishlist <= 1.0.43 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12809
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
Wishlist
Researcher

SOPROBRO

More Details >

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via src Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-0370
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
WP Shortcodes Plugin — Shortcodes Ultimate
Researcher

stealthcopter

More Details >

WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1324
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
WP-Recall – Registration, Profile, Commerce & More
Researcher

Krzysztof Zając

More Details >

Years Since – Timeless <= 1.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12460
Patch Status
Unpatched
Published
Mar 7, 2025

Affected Software
Years Since – Timeless Texts
Researcher

zaim

More Details >

bbPress <= 2.6.11 – Cross-Site Request Forgery to Limited Privilege Escalation

6.3

CVSS Rating
Medium (6.3)
CVE-ID
CVE-2025-1435
Patch Status
Patched
Published
Mar 4, 2025

Affected Software
bbPress
Researcher

Brian Mungai

More Details >

WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Exeuction

6.3

CVSS Rating
Medium (6.3)
CVE-ID
CVE-2025-1325
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
WP-Recall – Registration, Profile, Commerce & More
Researcher

Krzysztof Zając

More Details >

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.8.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13431
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
Researcher

Luciano Hanna

More Details >

Company Directory <= 4.3 – Reflected Cross-Site Scripting via add_query_arg Function

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13839
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
Staff Directory Plugin: Company Directory
Researcher

Peter Thaleikis

More Details >

Hero Mega Menu – Responsive WordPress Menu Plugin <= 1.16.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13779
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
Hero Mega Menu – Responsive WordPress Menu Plugin
Researcher

Lucio Sá

More Details >

Razorpay Subscription Button Elementor Plugin <= 1.0.3 – Reflected Cross-Site Scripting via add_query_arg and remove_query_arg Functions

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13827
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
Razorpay Subscription Button Elementor Plugin
Researcher

Peter Thaleikis

More Details >

Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins <= 2.0.59 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12634
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
Related Posts, Inline Related Posts, Contextual Related Posts, Related Content By PickPlugins
Researcher

vgo0

More Details >

Wishlist for WooCommerce: Multi Wishlists Per Customer <= 3.1.7 – Cross-Site Request Forgery to Cross-Site Scriping via Wishlist Name

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13774
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
Wishlist for WooCommerce: Multi Wishlists Per Customer
Researcher

Tim Coen

More Details >

Zigaform – Form Builder Lite <= 7.4.2 – Unauthenticated Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26989
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
Zigaform – Form Builder Lite
Researcher

Abdi Pranata

More Details >

Print Invoice & Delivery Notes for WooCommerce <= 5.4.1 – Unauthenticated Sensitive Information Exposure Through Unprotected Directory

5.9

CVSS Rating
Medium (5.9)
CVE-ID
CVE-2024-13640
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
Print Invoice & Delivery Notes for WooCommerce
Researcher

Tim Coen

More Details >

Notibar <= 2.1.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-1672
Patch Status
Patched
Published
Mar 5, 2025

Affected Software
Notibar – Notification Bar for WordPress
Researcher

Khang Duong

More Details >

WPGet API <= 2.2.10 – Authenticated (Administrator+) Server-Side Request Forgery

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-13857
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
WPGet API – Connect to any external REST API
Researcher

Francesco Carlucci

More Details >

Aiomatic – AI Content Writer, Editor, ChatBot & AI Toolkit <= 2.3.6 – Missing Authorization to Authenticated (Subscriber+) Multiple Administrator Actions

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-13816
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
Aiomatic – Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit
Researcher

Lucio Sá

More Details >

Ultimate WordPress Auction Plugin <= 4.2.9 – Missing Authorization to Arbitrary Post Deletion

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-0958
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
Ultimate WordPress Auction Plugin
Researcher

Brian Sans-Souci (liardom)

More Details >

WP SVG Upload <= 1.0.0 – Authenticated (Author+) Stored Cross-Site Scripting via SVG

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-11847
Patch Status
Unpatched
Published
Mar 5, 2025

Affected Software
Wp Svg Upload
Researcher

Pierre Rudloff

More Details >

Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More <= 2.5.0 – Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-11153
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More
Researcher

Francesco Carlucci

More Details >

JNews – WordPress Newspaper Magazine Blog AMP Theme <= 11.6.6 – Unauthorized User Registration

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-8682
Patch Status
Patched
Published
Mar 4, 2025

Affected Software
JNews – WordPress Newspaper Magazine Blog AMP Theme
Researcher

Kubow

More Details >

Platform.ly for WooCommerce <= 1.1.6 – Unauthenticated Blind Server-Side Request Forgery

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13904
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
Platform.ly for WooCommerce
Researcher

Francesco Carlucci

More Details >

School Management System for WordPress <= 93.0.0 – Missing Authorization to Unauthenticated Arbitrary Post Deletion

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-12610
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
School Management System for WordPress
Researcher

Lucio Sá

More Details >

School Management System for WordPress <= 93.0.0 – Reflected Cross-Site Scripting

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-12611
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
School Management System for WordPress
Researcher

Lucio Sá

More Details >

Sparkling <= 2.4.9 – Missing Authorization to Unauthenticated Arbitrary Plugin Activation/Deactivation

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13423
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
Sparkling
Researcher

mikemyers

More Details >

Post SMTP <= 3.1.2 – Authenticated (Administrator+) SQL Injection via columns Parameter

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2024-13844
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
Researcher

Nhien Pham (nhienit)

More Details >

PublishPress Authors <= 4.7.3 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-26886
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors
Researcher

Webula

More Details >

IP Based Login <= 2.4.0 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-12800
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
IP Based Login
Researcher

Dogus Demirkiran

More Details >

All-in-One Addons for Elementor – WidgetKit <= 2.5.4 – Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-10321
Patch Status
Unpatched
Published
Mar 7, 2025

Affected Software
All-in-One Addons for Elementor – WidgetKit
Researcher

Ankit Patel

More Details >

Code Snippets CPT <= 2.1.0 – Authenticated (Subscriber+) Arbitrary Shortcode Execution

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13895
Patch Status
Unpatched
Published
Mar 7, 2025

Affected Software
Code Snippets CPT
Researcher

Francesco Carlucci

More Details >

Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics <= 4.4.1 – Missing Authorization to Authenticated (Subscriber+) Survey Submission

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-1666
Patch Status
Patched
Published
Mar 5, 2025

Affected Software
Cookie banner plugin for WordPress – Cookiebot CMP by Usercentrics
Researcher

Peter Thaleikis

More Details >

EventPrime – Events Calendar, Bookings and Tickets <= 4.0.7.3 – Missing Authorization to Authenticated (Subscriber+) Event Attendees Export

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13526
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
EventPrime – Events Calendar, Bookings and Tickets
Researcher

Tim Coen

More Details >

FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel <= 2.4.29 – Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Post/Page Updates

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-12114
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel
Researcher

Stiofan

More Details >

Homey <= 2.4.3 – Cross-Site Request Forgery to User Verification

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-0748
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
Homey
Researcher

István Márton

More Details >

I Am Gloria <= 1.1.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-0990
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
I Am Gloria
Researcher

Keyvan Hardani

More Details >

IP Based Login <= 2.4.0 – Cross-Site Request forgery to Log Deletion

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13118
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
IP Based Login
Researcher

Bob Matyas

More Details >

Lafka – Multi Store Burger – Pizza & Food Delivery WooCommerce Theme <= 4.5.7 – Missing Authorization to Authenticated (Subscriber+) Demo Import

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13811
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
Lafka – Multi Store Burger – Pizza & Food Delivery WooCommerce Theme
Researcher

Lucio Sá

More Details >

Page Builder: Pagelayer – Drag and Drop website builder <= 1.9.8 – Cross-Site Request Forgery (CSRF) To Post Contents Modification

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-1926
Patch Status
Patched
Published
Mar 9, 2025

Affected Software
Page Builder: Pagelayer – Drag and Drop website builder
Researcher

Brian Sans-Souci (liardom)

More Details >

Podlove Podcast Publisher <= 4.2.2 – Cross-Site Request Forgery via ajax_transcript_delete Function

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-1383
Patch Status
Patched
Published
Mar 5, 2025

Affected Software
Podlove Podcast Publisher
Researcher

Abbas Mamoun

More Details >

Post Lockdown <= 4.0.2 – Missing Authorization to Authenticated (Subscriber+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-1504
Patch Status
Unpatched
Published
Mar 7, 2025

Affected Software
Post Lockdown
Researcher

Krzysztof Zając

More Details >

Recapture for WooCommerce <= 1.0.43 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-26899
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
WordPress abandoned cart recovery and email marketing for WooCommerce by Recapture
Researcher

Nguyen Xuan Chien

More Details >

SEO Plugin by Squirrly SEO <= 12.4.06 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24654
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
SEO Plugin by Squirrly SEO
Researcher

Rafie Muhammad

More Details >

Spreadsheet Integration <= 3.8.2 – Cross-Site Request Forgery to Arbitrary Post Publish

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-1463
Patch Status
Patched
Published
Mar 4, 2025

Affected Software
Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table.
Researcher

Krzysztof Zając

More Details >

SupportCandy – Helpdesk & Customer Support Ticket System <= 3.3.0 – Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13552
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
SupportCandy – Helpdesk & Customer Support Ticket System
Researcher

Tim Coen

More Details >

VK Blocks <= 1.94.2.2 – Missing Authorization to Sensitive Information Exposure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13635
Patch Status
Patched
Published
Mar 6, 2025

Affected Software
VK Blocks
Researcher

Nishiv

More Details >

VW Storefront <= 0.9.9 – Missing Authorization to Authenticated (Subscriber+) Settings Reset

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13686
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
VW Storefront
Researcher

Peter Thaleikis

More Details >

Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction <= 2.6.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13682
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
Wallet System for WooCommerce
Researcher

Tim Coen

More Details >

Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction <= 2.6.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13724
Patch Status
Patched
Published
Mar 3, 2025

Affected Software
Wallet System for WooCommerce
Researcher

Tim Coen

More Details >

WooMail – WooCommerce Email Customizer <= 3.0.34 – Authenticated (Subscriber+) Missing Authorization to SQL Injection

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13747
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
WooMail – WooCommerce Email Customizer
Researcher

Lucio Sá

More Details >

WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 – Authenticated (Contributor+) Protected Post Disclosure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-1322
Patch Status
Patched
Published
Mar 7, 2025

Affected Software
WP-Recall – Registration, Profile, Commerce & More
Researcher

Krzysztof Zając

More Details >

Zass – WooCommerce Theme for Handmade Artists and Artisans <= 3.9.9.10 – Missing Authorization to Authenticated (Subscriber+) Demo Import

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13810
Patch Status
Unpatched
Published
Mar 4, 2025

Affected Software
Zass – WooCommerce Theme for Handmade Artists and Artisans
Researcher

Lucio Sá

More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (March 3, 2025 to March 9, 2025) appeared first on Wordfence.

Adicionar aos favoritos o Link permanente.