VulnTitan

VulnTitan

The WordPress Vulnerability Index

πŸ’‘ Did you know?

You can scan your WordPress site in real-time with the VulnTitan Free Plugin. Need scheduled scans, email alerts, and smart patch suggestions? Upgrade to VulnTitan Pro.

πŸ›‘οΈ Latest Vulnerabilities

  • The Companion Auto Update plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the β€˜update_delay_days’ parameter in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

    πŸ—“οΈ Published: Jul 14, 2025 🧩 Slug: companion-auto-update πŸ“Š CVSS: 5.5/10 πŸ›‘οΈ CVE: CVE-2025-4369
    ⚠️ Affected Versions: β‰₯ * & ≀ 3.9.2
    βœ… Patched in: 3.9.3
  • The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Custom Fields in all versions up to, and including, 3.2.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    πŸ—“οΈ Published: Jul 14, 2025 🧩 Slug: strong-testimonials πŸ“Š CVSS: 6.4/10 πŸ›‘οΈ CVE: CVE-2025-7367
    ⚠️ Affected Versions: β‰₯ * & ≀ 3.2.11
    βœ… Patched in: 3.2.12
  • The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

    πŸ—“οΈ Published: Jul 14, 2025 🧩 Slug: ht-contactform πŸ“Š CVSS: 9.8/10 πŸ›‘οΈ CVE: CVE-2025-7340
    ⚠️ Affected Versions: β‰₯ * & ≀ 2.2.1
    βœ… Patched in: 2.2.2
  • The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).

    πŸ—“οΈ Published: Jul 14, 2025 🧩 Slug: ht-contactform πŸ“Š CVSS: 9.1/10 πŸ›‘οΈ CVE: CVE-2025-7360
    ⚠️ Affected Versions: β‰₯ * & ≀ 2.2.1
    βœ… Patched in: 2.2.2
  • The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

    πŸ—“οΈ Published: Jul 14, 2025 🧩 Slug: ht-contactform πŸ“Š CVSS: 9.1/10 πŸ›‘οΈ CVE: CVE-2025-7341
    ⚠️ Affected Versions: β‰₯ * & ≀ 2.2.1
    βœ… Patched in: 2.2.2
  • The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

    πŸ—“οΈ Published: Jul 14, 2025 🧩 Slug: alone πŸ“Š CVSS: 9.1/10 πŸ›‘οΈ CVE: CVE-2025-5393
    ⚠️ Affected Versions: β‰₯ * & ≀ 7.8.2
    βœ… Patched in: 7.8.5
  • The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.

    πŸ—“οΈ Published: Jul 14, 2025 🧩 Slug: alone πŸ“Š CVSS: 9.8/10 πŸ›‘οΈ CVE: CVE-2025-5394
    ⚠️ Affected Versions: β‰₯ * & ≀ 7.8.3
    βœ… Patched in: 7.8.5
  • The Restrict File Access plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the 'restrict-file-access' page. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php), via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

    πŸ—“οΈ Published: Jul 14, 2025 🧩 Slug: restrict-file-access πŸ“Š CVSS: 8.1/10 πŸ›‘οΈ CVE: CVE-2025-7667
    ⚠️ Affected Versions: β‰₯ * & ≀ 1.1.2
    ❌ Not patched
  • The BeeTeam368 Extensions plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_submit_upload_file() function in all versions up to, and including, 2.3.5. This makes it possible for authenticated attackers with Subscriber-level access or higher to upload arbitrary files on the affected site's server which may make remote code execution possible.

    πŸ—“οΈ Published: Jul 11, 2025 🧩 Slug: beeteam368-extensions πŸ“Š CVSS: 8.8/10 πŸ›‘οΈ CVE: CVE-2025-6423
    ⚠️ Affected Versions: β‰₯ * & ≀ 2.3.5
    βœ… Patched in: 2.3.6
  • The Nokri - Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email address. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

    πŸ—“οΈ Published: Jul 11, 2025 🧩 Slug: nokri πŸ“Š CVSS: 8.8/10 πŸ›‘οΈ CVE: CVE-2025-1313
    ⚠️ Affected Versions: β‰₯ * & ≀ 1.6.3
    βœ… Patched in: 1.6.4