π‘ Did you know?
You can scan your WordPress site in real-time with the VulnTitan Free Plugin.
Need scheduled scans, email alerts, and smart patch suggestions? Upgrade to VulnTitan Pro.
π‘οΈ Latest Vulnerabilities
-
The Companion Auto Update plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βupdate_delay_daysβ parameter in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
ποΈ Published: Jul 14, 2025 π§© Slug: companion-auto-update π CVSS: 5.5/10 π‘οΈ CVE: CVE-2025-4369β οΈ Affected Versions: β₯ * & β€ 3.9.2β Patched in: 3.9.3Plugin Read Full Report β -
The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Custom Fields in all versions up to, and including, 3.2.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
ποΈ Published: Jul 14, 2025 π§© Slug: strong-testimonials π CVSS: 6.4/10 π‘οΈ CVE: CVE-2025-7367β οΈ Affected Versions: β₯ * & β€ 3.2.11β Patched in: 3.2.12Plugin Read Full Report β -
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
ποΈ Published: Jul 14, 2025 π§© Slug: ht-contactform π CVSS: 9.8/10 π‘οΈ CVE: CVE-2025-7340β οΈ Affected Versions: β₯ * & β€ 2.2.1β Patched in: 2.2.2Plugin Read Full Report β -
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
ποΈ Published: Jul 14, 2025 π§© Slug: ht-contactform π CVSS: 9.1/10 π‘οΈ CVE: CVE-2025-7360β οΈ Affected Versions: β₯ * & β€ 2.2.1β Patched in: 2.2.2Plugin Read Full Report β -
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
ποΈ Published: Jul 14, 2025 π§© Slug: ht-contactform π CVSS: 9.1/10 π‘οΈ CVE: CVE-2025-7341β οΈ Affected Versions: β₯ * & β€ 2.2.1β Patched in: 2.2.2Plugin Read Full Report β -
The Alone β Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
β οΈ Affected Versions: β₯ * & β€ 7.8.2β Patched in: 7.8.5Theme Read Full Report β -
The Alone β Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
β οΈ Affected Versions: β₯ * & β€ 7.8.3β Patched in: 7.8.5Theme Read Full Report β -
The Restrict File Access plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the 'restrict-file-access' page. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php), via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
ποΈ Published: Jul 14, 2025 π§© Slug: restrict-file-access π CVSS: 8.1/10 π‘οΈ CVE: CVE-2025-7667β οΈ Affected Versions: β₯ * & β€ 1.1.2β Not patchedPlugin Read Full Report β -
The BeeTeam368 Extensions plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_submit_upload_file() function in all versions up to, and including, 2.3.5. This makes it possible for authenticated attackers with Subscriber-level access or higher to upload arbitrary files on the affected site's server which may make remote code execution possible.
ποΈ Published: Jul 11, 2025 π§© Slug: beeteam368-extensions π CVSS: 8.8/10 π‘οΈ CVE: CVE-2025-6423β οΈ Affected Versions: β₯ * & β€ 2.3.5β Patched in: 2.3.6Plugin Read Full Report β -
The Nokri - Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email address. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
β οΈ Affected Versions: β₯ * & β€ 1.6.3β Patched in: 1.6.4Theme Read Full Report β