WordPress Open source blog software

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any WordPress product.

RSS Feeds for WordPress security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in WordPress products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by WordPress Sorted by Most Security Vulnerabilities since 2018

WordPress129 vulnerabilities
Blog Platform

WordPress Royal Elementor Addons2 vulnerabilities

WordPress Simple Membership1 vulnerability

WordPress Post Grid Shortcode Gutenberg Blocks Elementor1 vulnerability

WordPress Premium Addons For Elementor1 vulnerability

WordPress Rank Math Seo1 vulnerability

WordPress Real Media Library1 vulnerability

WordPress Recipe Maker1 vulnerability

WordPress Responsive Contact Form Builder Lead Generation1 vulnerability

WordPress Shoplentor1 vulnerability

WordPress Plus Addon Elementor Page Builder1 vulnerability

WordPress Sina Extension For Elementor1 vulnerability

WordPress Svs Pricing Tables1 vulnerability

WordPress Tutor Lms Elearning Online Course Solution1 vulnerability

WordPress Video Lightbox1 vulnerability

WordPress Wp Private Content Plus Plugin1 vulnerability

WordPress Yith Woocommerce Compare1 vulnerability

WordPress Contact Form Drag Drop Form Builder1 vulnerability

WordPress Customer Reviews Woocommerce1 vulnerability

WordPress Elespare1 vulnerability

WordPress External Database Based Actions1 vulnerability

WordPress Form Maker By 10web1 vulnerability

WordPress Free Widgets Elementor Plugin1 vulnerability

WordPress Frontend Admin By Dynamiapps1 vulnerability

WordPress Acf On The Go1 vulnerability

WordPress Interactive World Maps1 vulnerability

WordPress Jeg Elementor Kit1 vulnerability

WordPress Lanoba Social Plugin1 vulnerability

WordPress Leadconnector1 vulnerability

WordPress Leaflet Maps Marker1 vulnerability

WordPress Login With Otp Plugin1 vulnerability

Known Exploited WordPress Vulnerabilities

The following WordPress vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title	Description	Added
WordPress File Manager Remote Code Execution Vulnerability	The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. CVE-2020-25213 Exploit Probability: 94.4%	November 3, 2021
WordPress Snap Creek Duplicator and Duplicator Pro plugins Directory Traversal	The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init. CVE-2020-11738 Exploit Probability: 94.1%	November 3, 2021
WordPress Social-Warfare plugin XSS	The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro. CVE-2019-9978 Exploit Probability: 87.7%	November 3, 2021

Of the known exploited vulnerabilities above, 3 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 2 vulnerabilities in WordPress with an average score of 6.3 out of ten. Last year, in 2025 WordPress had 11 security vulnerabilities published. Right now, WordPress is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.28.

Year	Vulnerabilities	Average Score
2026	2	6.25
2025	11	5.97
2024	44	6.12
2023	13	6.90
2022	9	6.54
2021	9	6.63
2020	21	6.65
2019	22	5.87
2018	16	8.13

It may take a day or so for new WordPress vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent WordPress Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-3906	Mar 11, 2026	WordPress core 6.9-6.9.1 unauthorized note creation via REST API WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status.	WordPress
CVE-2023-54333	Jan 13, 2026	Critical SQLi in Social-Share-Buttons 2.2.3 via project_id param Social-Share-Buttons 2.2.3 contains a critical SQL injection vulnerability in the project_id parameter that allows attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted POST requests with malicious SQL payloads to retrieve and potentially steal entire database contents.
CVE-2025-5092	Nov 20, 2025	WordPress Plugins: XSS via lightGallery <=2.8.3 (Contributor+ attacks) Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (<= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	WordPress
CVE-2025-58674	Sep 23, 2025	WordPress Core Stored XSS (CVE-2025-58674) up to v6.8.2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.	WordPress
CVE-2025-58246	Sep 23, 2025	WP <=6.8.2: Insert Sensitive Info into Outgoing Data (Contributor Priv.) Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it. This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.	WordPress
CVE-2025-54352	Jul 21, 2025	WordPress XML-RPC Pingback Title Guessing (v3.5–6.8.2) WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior.	WordPress
CVE-2025-2537	Jul 03, 2025	WordPress XSS via ThickBox JavaScript v3.1 in various plugins Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled ThickBox JavaScript library (version 3.1) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	WordPress
CVE-2025-48903	Jun 06, 2025	WP Media Lib Module Permission Bypass Permission bypass vulnerability in the media library module Impact: Successful exploitation of this vulnerability may affect availability.	WordPress
CVE-2024-5878	May 20, 2025	WP Plugins: SimpleLightbox 2.1.5 Stored XSS (auth) Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled SimpleLightbox JavaScript library (version 2.1.5) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	WordPress
CVE-2025-21095	Mar 05, 2025	WordPress 6.8.0 Path Traversal for Arbitrary File Download Path traversal may lead to arbitrary file download. The score without least privilege principle violation is as calculated below. In combination with other issues it may facilitate further compromise of the device. Remediation in Version 6.8.0, release date: 01-Mar-25.	WordPress
CVE-2024-5667	Mar 05, 2025	WP plugins XSS via Featherlight.js v1.7.13-1.7.14 Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Featherlight.js JavaScript library (versions 1.7.13 to 1.7.14) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	WordPress
CVE-2025-26527	Feb 24, 2025	WordPress Tags Unintended Disclosure via Tag Search & Tags Block Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block.	WordPress
CVE-2023-40108	Jan 21, 2025	Local Media Disclosure via Missing Permission Check (CVE-2023-40108) In multiple locations, there is a possible way to access media content belonging to another user due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.	WordPress
CVE-2024-11331	Dec 20, 2024	WordPress Plugin '??????? ??????? ??????? ???? ????': Reflected XSS Vulnerability The plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.	WordPress
CVE-2024-11875	Dec 12, 2024	WordPress Plugin 'Add infos to the events calendar' Stored XSS Vulnerability in 'fuss' Shortcode The Add infos to the events calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fuss' shortcode in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	WordPress
CVE-2024-11292	Dec 06, 2024	WP Private Content Plus Plugin Sensitive Information Exposure via WordPress Search The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.1 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.	Wp Private Content Plus Plugin
CVE-2024-11178	Dec 06, 2024	LoginWithOTPPlugin WP Auth Bypass via Weak OTP (<=1.4.2) The Login With OTP plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.4.2. This is due to the plugin generating too weak OTP, and theres no attempt or time limit. This makes it possible for unauthenticated attackers to generate and brute force the 6-digit numeric OTP that makes it possible to log in as any existing user on the site, such as an administrator, if they have access to the email.	Login With Otp Plugin
CVE-2024-11091	Nov 26, 2024	WordPress Support SVG Plugin: Stored XSS via REST API SVG File Uploads The Support SVG Upload svg files in wordpress without hassle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.	WordPress
CVE-2024-11231	Nov 23, 2024	Stored XSS Vulnerability in WordPress Plugin ???? ????? via mnp_purchase Shortcode The plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mnp_purchase shortcode in all versions up to, and including, 3.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	WordPress
CVE-2024-11229	Nov 23, 2024	Stored XSS Vulnerability in WordPress Plugin ??? ??? via Shortcodes The plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's add_plus_friends and add_plus_talk shortcodes in all versions up to, and including, 1.1.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	WordPress
CVE-2024-9830	Nov 19, 2024	WordPress Bard Theme Reflected XSS Vulnerability in URL Parameter Handling The Bard theme for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.216. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.	WordPress
CVE-2024-10311	Nov 15, 2024	WordPress External Database Based Actions Plugin Authentication Bypass Vulnerability The External Database Based Actions plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.1. This is due to a missing capability check in the 'edba_admin_handle' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to update the plugin settings and log in as any existing user on the site, such as an administrator.	External Database Based Actions
CVE-2022-4973	Oct 16, 2024	WordPress Core 6.0.2 Authenticated Stored XSS via the_meta() WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.	WordPress
CVE-2024-6307	Jun 25, 2024	WordPress Core <6.5.5 Stored XSS via HTML API (Contributor+) WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	WordPress
CVE-2024-5455	Jun 21, 2024	Plus Addons LFI magazine_style 5.5.4 The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other safe file types can be uploaded and included.	Plus Addon Elementor Page Builder
CVE-2024-5382	Jun 07, 2024	Unauthorized Data Modification via REST API in Master Addons <=2.0.6.1 The Master Addons Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ma-template' REST API route in all versions up to, and including, 2.0.6.1. This makes it possible for unauthenticated attackers to create or modify existing Master Addons templates or make settings modifications related to these templates.	Free Widgets Elementor Plugin
CVE-2024-35162	May 22, 2024	WordPress: Path Traversal via Dashboard Plugin (<1.8.6) Path traversal vulnerability exists in Download Plugins and Themes from Dashboard versions prior to 1.8.6. If this vulnerability is exploited, a remote authenticated attacker with "switch_themes" privilege may obtain arbitrary files on the server.	WordPress
CVE-2024-4439	May 03, 2024	WordPress Core <= 6.5.2 Stored XSS via Avatar Block Display Name WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.	WordPress
CVE-2024-3649	May 02, 2024	WPForms Price Manipulation in <=1.8.7.2 via Stripe Integration The Contact Form by WPForms Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to price manipulation in versions up to, and including, 1.8.7.2. This is due to a lack of controls on several product parameters. This makes it possible for unauthenticated attackers to manipulate prices, product information, and quantities for purchases made via the Stripe payment integration.	Contact Form Drag Drop Form Builder
CVE-2024-3991	May 02, 2024	ShopLentor WooCommerce Builder XSS via _id (2.8.7) The ShopLentor WooCommerce Builder for Elementor & Gutenberg +12 Modules All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _id attribute in the Horizontal Product Filter in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	Shoplentor
CVE-2024-3670	May 02, 2024	Stored XSS in Leaflet Maps Marker WP Plugin 3.12.8 via Shortcode The Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mapsmarker' shortcode in all versions up to, and including, 3.12.8 due to insufficient input sanitization and output escaping on user supplied attributes such as 'mapwidthunit'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	Leaflet Maps Marker
CVE-2024-1415	May 02, 2024	WordPress Responsive Contact Form Builder CSRF before v1.8.9 The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.9. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to invoke those functions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. These actions may result in form deletion, and lead signup as well as file upload.	Responsive Contact Form Builder Lead Generation
CVE-2024-2328	May 02, 2024	WP Real Media Library 4.22.11 XSS via image title/alt The Real Media Library: Media Library Folder & File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image title and alt text in all versions up to, and including, 4.22.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author access and higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	Real Media Library
CVE-2024-2960	May 02, 2024	SVS Pricing Tables WP plugin <=1.0.4: CSRF DeletePricingTable() The SVS Pricing Tables plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the deletePricingTable() function. This makes it possible for unauthenticated attackers to delete pricing tables via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.	Svs Pricing Tables
CVE-2024-3681	May 02, 2024	WP Interactive World Maps <2.4.14 Reflected XSS via Search Param The Interactive World Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the search (s) parameter in all versions up to, and including, 2.4.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.	Interactive World Maps
CVE-2024-3161	May 02, 2024	Stored XSS in Jeg Elementor Kit <2.6.4 Countdown Widget The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget's attributes in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	Jeg Elementor Kit
CVE-2024-3071	May 02, 2024	ACF On-The-Go v1.0.1 cause privilege escalation via acfg_update_fields() The ACF On-The-Go plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the acfg_update_fields() function in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary post titles, descriptions, and ACF values.	Acf On The Go
CVE-2024-3729	May 02, 2024	WordPress Frontend Admin 3.19.4: Unauth Priv Esc via fea_encrypt Encryption Bypass The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'fea_encrypt' function in all versions up to, and including, 3.19.4. This makes it possible for unauthenticated attackers to manipulate the user processing forms, which can be used to add and edit administrator user for privilege escalation, or to automatically log in users for authentication bypass, or manipulate the post processing form that can be used to inject arbitrary web scripts. This can only be exploited if the 'openssl' php extension is not loaded on the server.	Frontend Admin By Dynamiapps
CVE-2024-3647	May 02, 2024	Stored XSS in Premium Addons for Elementor <=4.10.28 Post Ticker Widget The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's post ticker widget in all versions up to, and including, 4.10.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the premium version of the plugin to be installed and activated in order to be exploited.	Premium Addons For Elementor
CVE-2024-4324	May 02, 2024	WP Video Lightbox <=1.9.10 XSS via width param The WP Video Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the width parameter in all versions up to, and including, 1.9.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	Video Lightbox
CVE-2024-3936	May 02, 2024	WordPress Post Grid <=7.6.1: Authenticated Settings Tampering (rtTPGSaveSettings) The The Post Grid Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtTPGSaveSettings function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with subscriber access or higher, to change the plugin's settings and invoke other functions hooked by AJAX actions.	Post Grid Shortcode Gutenberg Blocks Elementor
CVE-2024-3490	May 02, 2024	WP Recipe Maker Stored XSS via wprm-recipe-roundup-item (<=9.3.1) The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wprm-recipe-roundup-item shortcode in all versions up to, and including, 9.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	Recipe Maker
CVE-2024-1371	Apr 30, 2024	LeadConnector WP Plugin v<=1.7: Unauth Deletion via lc_public_api_proxy() The LeadConnector plugin for WordPress is vulnerable to unauthorized modification & loss of data due to a missing capability check on the lc_public_api_proxy() function in all versions up to, and including, 1.7. This makes it possible for unauthenticated attackers to delete arbitrary posts. CVE-2024-34378 is likely a duplicate of this issue.	Leadconnector
CVE-2024-2258	Apr 27, 2024	Form Maker by 10Web 1.15.24 XSS via User Display Name in Contact Forms The Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	Form Maker By 10web
CVE-2024-3730	Apr 25, 2024	WP Simple Membership <=4.4.3 Stored XSS via swpm_paypal_sub_cancel_link The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_subscription_cancel_link' shortcode in all versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	Simple Membership
CVE-2024-3994	Apr 25, 2024	Stored XSS in Tutor LMS v2.6.2 via tutor_instructor_list shortcode The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tutor_instructor_list' shortcode in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	Tutor Lms Elearning Online Course Solution
CVE-2024-3988	Apr 25, 2024	Sina Elementor Extension v3.5.2 Stored XSS via Fancy Text Widget The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Sina Fancy Text Widget in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	Sina Extension For Elementor
CVE-2024-32699	Apr 24, 2024	YITH WooCommerce Compare v2.37.0 CSRF Vulnerability Cross-Site Request Forgery (CSRF) vulnerability in YITHEMES YITH WooCommerce Compare yith-woocommerce-compare.This issue affects YITH WooCommerce Compare: from n/a through <= 2.37.0.	Yith Woocommerce Compare
CVE-2024-3665	Apr 23, 2024	Stored XSS in Rank Math SEO Plugin (1.0.216) via FAQ Widgets The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's HowTo and FAQ widgets in all versions up to, and including, 1.0.216 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	Rank Math Seo
CVE-2024-0900	Apr 23, 2024	WP Plugin Elespare <=2.1.2 Auth Post Creation Loophole The Elespare Build Your Blog, News & Magazine Websites with Expert-Designed Template Kits. One Click Import: No Coding Skills Required! plugin for WordPress is vulnerable to unauthorized post creation due to a missing capability check on the elespare_create_post() function hooked via AJAX in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary posts.	Elespare