π‘ Did you know?
You can scan your WordPress site in real-time with the VulnTitan Free Plugin.
Need scheduled scans, email alerts, and smart patch suggestions? Upgrade to VulnTitan Pro.
π‘οΈ Latest Vulnerabilities
-
The 3D FlipBook β PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βstyleβ and 'mode' parameters in all versions up to, and including, 1.16.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This issue affects only block-based themes.
ποΈ Published: Jun 20, 2025 𧩠Slug: interactive-3d-flipbook-powered-physics-engine π CVSS: 6.4/10 π‘οΈ CVE: CVE-2025-5289β οΈ Affected Versions: β₯ * & β€ 1.16.15β Patched in: 1.16.16Plugin Read Full Report β -
The TableOn β WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's tableon_popup_iframe_button shortcode in all versions up to, and including, 1.0.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
ποΈ Published: Jun 20, 2025 𧩠Slug: posts-table-filterable π CVSS: 6.4/10 π‘οΈ CVE: CVE-2025-5143β οΈ Affected Versions: β₯ * & β€ 1.0.4.1β Patched in: 1.0.4.2Plugin Read Full Report β -
The Euro FxRef Currency Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's currency shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
ποΈ Published: Jun 19, 2025 𧩠Slug: euro-fxref-currency-converter π CVSS: 6.4/10 π‘οΈ CVE: CVE-2025-6257β οΈ Affected Versions: β₯ * & β€ 2.0.2β Patched in: 2.0.3Plugin Read Full Report β -
The Beaver Builder Plugin (Starter Version) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_enabled_icons' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 2.9.1.
β οΈ Affected Versions: β₯ * & β€ 2.9.1β Patched in: 2.9.1.1Plugin Read Full Report β -
The Gutenverse News plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βelementIdβ parameter in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
ποΈ Published: Jun 18, 2025 𧩠Slug: gutenverse-news π CVSS: 6.4/10 π‘οΈ CVE: CVE-2025-5234β οΈ Affected Versions: β₯ * & β€ 1.0.4β Patched in: 2.0.0Plugin Read Full Report β -
The GiveWP β Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to view or delete fundraising campaigns, view donors' data, modify campaign events, etc.
β οΈ Affected Versions: β₯ * & β€ 4.3.0β Patched in: 4.3.1Plugin Read Full Report β -
The Football Pool plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
ποΈ Published: Jun 18, 2025 𧩠Slug: football-pool π CVSS: 5.5/10 π‘οΈ CVE: CVE-2025-5490β οΈ Affected Versions: β₯ * & β€ 2.12.4β Not patchedPlugin Read Full Report β -
OceanWP <= 4.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Select HTML Tag Medium
The OceanWP theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Select HTML tag in all versions up to, and including, 4.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
β οΈ Affected Versions: β₯ * & β€ 4.0.9β Patched in: 4.1.0Theme Read Full Report β -
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdm_user_dashboard shortcode in all versions up to, and including, 3.3.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
ποΈ Published: Jun 18, 2025 𧩠Slug: download-manager π CVSS: 6.4/10 π‘οΈ CVE: CVE-2025-4367β οΈ Affected Versions: β₯ * & β€ 3.3.18β Patched in: 3.3.19Plugin Read Full Report β -
The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin image comparison widget's before/after labels in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
ποΈ Published: Jun 18, 2025 𧩠Slug: elementskit-lite π CVSS: 6.4/10 π‘οΈ CVE: CVE-2025-4479β οΈ Affected Versions: β₯ * & β€ 3.5.2β Patched in: 3.5.3Plugin Read Full Report β