Vulnerability Advisories

Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA, or CVE Numbering Authority. As a CNA, Wordfence assigns CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes.

Assigned CVE IDs and the vulnerability details are published below. For more information about submitting vulnerabilities to Wordfence for CVE ID assignment, please refer to our vulnerability disclosure policy.


Indeed Job Importer <= 1.0.5 Authenticated Stored Cross-Site Scripting

Affected Plugin: Indeed Job Importer
Plugin Slug: indeed-job-importer
Affected Versions: <= 1.0.5
CVE ID: CVE-2021-39355
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-15

The Indeed Job Importer WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/indeed-job-importer/trunk/indeed-job-importer.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.5. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.


MPL-Publisher – Self-publish your book & ebook <= 1.30.2 Authenticated Stored Cross-Site Scripting

Affected Plugin: MPL-Publisher
Plugin Slug: mpl-publisher
Affected Versions: <= 1.30.2
CVE ID: CVE-2021-39343
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-15

The MPL-Publisher WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/libs/PublisherController.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.30.2. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.


JobBoardWP – Job Board Listings and Submissions <= 1.0.7 Authenticated Stored Cross-Site Scripting

Affected Plugin: JobBoardWP – Job Board Listings and Submissions
Plugin Slug: jobboardwp
Affected Versions: <= 1.0.7
CVE ID: CVE-2021-39329
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-15

The JobBoardWP WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/includes/admin/class-metabox.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.6. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.


Author Bio Box <= 3.3.1 Authenticated Stored Cross-Site Scripting

Affected Plugin: Author Bio Box
Plugin Slug: author-bio-box
Affected Versions: <= 2.1.1
CVE ID: CVE-2021-39349
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-14

The Author Bio Box WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/includes/admin/class-author-bio-box-admin.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 3.3.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.


HAL <= 2.1.1 Authenticated Stored Cross-Site Scripting

Affected Plugin: HAL
Plugin Slug: hal
Affected Versions: <= 2.1.1
CVE ID: CVE-2021-39345
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-14

The HAL WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/wp-hal.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.1.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.


KJM Admin Notices <= 2.0.1 Authenticated Stored Cross-Site Scripting

Affected Plugin: KJM Admin Notices
Plugin Slug: kjm-admin-notices
Affected Versions: <= 2.0.1
CVE ID: CVE-2021-39344
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-14

The KJM Admin Notices WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/admin/class-kjm-admin-notices-admin.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.0.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.


MyBB Cross-Poster <= 1.0 Authenticated Stored Cross-Site Scripting

Affected Plugin: MyBB Cross-Poster
Plugin Slug: mybb-cross-poster
Affected Versions: <= 1.0
CVE ID: CVE-2021-39338
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-14

The MyBB Cross-Poster WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/classes/MyBBXPSettings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.


job-portal <= 0.0.1 Authenticated Stored Cross-Site Scripting

Affected Plugin: job-portal
Plugin Slug: job-portal
Affected Versions: <= 0.0.1
CVE ID: CVE-2021-39337
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-14

The job-portal WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/admin/jobs_function.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 0.0.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.


Job Manager <= 0.7.25 Authenticated Stored Cross-Site Scripting

Affected Plugin: Job Manager
Plugin Slug: job-manager
Affected Versions: <= 0.7.25
CVE ID: CVE-2021-39336
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-14

The Job Manager WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/admin-jobs.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 0.7.25. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.


WpGenius Job Listing <= 1.0.2 Authenticated Stored Cross-Site Scripting

Affected Plugin: WpGenius Job Listing
Plugin Slug: wpgenious-job-listing
Affected Versions: <= 1.0
CVE ID: CVE-2021-39335
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-14

The WpGenius Job Listing WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/src/admin/class/class-wpgenious-job-listing-options.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0.2. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.


Job Board Vanila Plugin <= 1.0 Authenticated Stored Cross-Site Scripting

Affected Plugin: Job Board Vanila Plugin
Plugin Slug: job-board-vanilla
Affected Versions: <= 1.0
CVE ID: CVE-2021-39334
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-14

The Job Board Vanila WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via the psjb_exp_in and the psjb_curr_in parameters found in the ~/job-settings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.4.5. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.


Business Manager – WordPress ERP, HR, CRM, and Project Management Plugin <= 1.4.5 Authenticated Stored Cross-Site Scripting

Affected Plugin: Business Manager
Plugin Slug: business-manager
Affected Versions: <= 1.4.5
CVE ID: CVE-2021-39332
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-14

The Business Manager WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization found throughout the plugin which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.4.5. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.


Brizy – Page Builder <= 2.3.11 Authenticated File Upload and Path Traversal

Affected Plugin: Brizy – Page Builder
Plugin Slug: brizy
Affected Versions: <= 2.3.11
CVE ID: CVE-2021-38346
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Ramuel Gall
Fully Patched Version: 2.3.12
Recommended Remediation: Update to version 2.3.12, or newer.
Publication Date: 2021-10-13

The Brizy Page Builder plugin <= 2.3.11 for WordPress allowed authenticated users to upload executable files to a location of their choice using the brizy_create_block_screenshot AJAX action. The file would be named using the id parameter, which could be prepended with “../” to perform directory traversal, and the file contents were populated via the ibsf parameter, which would be base64-decoded and written to the file. While the plugin added a .jpg extension to all uploaded filenames, a double extension attack was still possible, e.g. a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations. Read more here.


Brizy – Page Builder <= 2.3.11 Authenticated Stored Cross-Site Scripting

Affected Plugin: Brizy – Page Builder
Plugin Slug: brizy
Affected Versions: <= 2.3.11
CVE ID: CVE-2021-38344
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 2.3.12
Recommended Remediation: Update to version 2.3.12, or newer.
Publication Date: 2021-10-13

The Brizy Page Builder plugin <= 2.3.11 for WordPress was vulnerable to stored XSS by lower-privileged users such as a subscribers. It was possible to add malicious JavaScript to a page by modifying the request sent to update the page via the brizy_update_item AJAX action and adding JavaScript to the data parameter, which would be executed in the session of any visitor viewing or previewing the post or page. Read more here.


Brizy – Page Builder <= 1.0.125 and 1.0.127 – 2.3.11 Incorrect Authorization Checks Allowing Post Modification

Affected Plugin: Brizy – Page Builder
Plugin Slug: brizy
Affected Versions: <= 1.0.125 and 1.0.127 – 2.3.11
CVE ID: CVE-2021-38345
CVSS Score: 7.1 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Researcher/s: Ramuel Gall
Fully Patched Version: 2.3.12
Recommended Remediation: Update to version 2.3.12, or newer.
Publication Date: 2021-10-13

The Brizy Page Builder plugin <= 2.3.11 for WordPress used an incorrect authorization check that allowed any logged-in user accessing any endpoint in the wp-admin directory to modify the content of any existing post or page created with the Brizy editor. An identical issue was found by another researcher in Brizy <= 1.0.125 and fixed in version 1.0.126, but the vulnerability was reintroduced in version 1.0.127. Read more here.


Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress <= 5.0.06 Authenticated Stored Cross-Site Scripting

Affected Plugin: Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress
Plugin Slug: formidable
Affected Versions: <= 5.0.06
CVE ID: CVE-2021-39330
CVSS Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: 5.0.07
Recommended Remediation: Update to version 5.0.07, or newer.
Publication Date: 2021-10-13

The Formidable Form Builder WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization found in the ~/classes/helpers/FrmAppHelper.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 5.0.06. This only affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.


Access Demo Importer <= 1.0.6 – Authenticated Arbitrary File Upload

Affected Plugin: Access Demo Importer
Plugin Slug: access-demo-importer
Affected Versions: <= 1.0.6
CVE ID: CVE-2021-39317
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 1.0.7
Recommended Remediation: Update to version 1.0.7, or newer.
Publication Date: 2021-10-06

Versions up to, and including, 1.0.6, of the Access Demo Importer WordPress plugin are vulnerable to arbitrary file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the ~/inc/demo-functions.php. Read more here.


WP Bannerize 2.0.0 – 4.0.2 – Authenticated SQL Injection

Affected Plugin: WP Bannerize
Plugin Slug: wp-bannerize
Affected Versions: 2.0.0 – 4.0.2
CVE ID: CVE-2021-39351
CVSS Score: 7.7 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Researcher/s: Margaux DABERT from Intrinsec
Fully Patched Version: Unpatched.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-10-05

The WP Bannerize WordPress plugin is vulnerable to authenticated SQL injection via the id parameter found in the ~/Classes/wpBannerizeAdmin.php file which allows attackers to exfiltrate sensitive information from vulnerable sites. This issue affects versions 2.0.0 – 4.0.2.


FV Flowplayer Video Player <= 7.5.0.727 – 7.5.2.727 Reflected Cross-Site Scripting

Affected Plugin: FV Flowplayer Video Player
Plugin Slug: fv-wordpress-flowplayer
Affected Versions: 7.5.0.727 – 7.5.2.727
CVE ID: CVE-2021-39350
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Margaux DABERT from Intrinsec & Erwan from WPScan*
Fully Patched Version: 7.5.3.727
Recommended Remediation: Update to version 7.5.3.727, or newer.
Publication Date: 2021-10-05

The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject arbitrary web scripts, in versions 7.5.0.727 – 7.5.2.727.

*Both researchers discovered this vulnerability independently around the same time and both disclosed to the vendor independently.


Stripe for WooCommerce 3.0.0 – 3.3.9 Missing Authorization Controls to Financial Account Hijacking

Affected Plugin: Stripe for WooCommerce
Plugin Slug: woo-stripe-payment
Affected Versions: 3.0.0 – 3.3.9
CVE ID: CVE-2021-39347
CVSS Score: 4.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Researcher/s: Margaux DABERT from Intrinsec
Fully Patched Version: 3.3.10
Recommended Remediation: Update to version 3.3.10, or newer.
Publication Date: 2021-10-01

The Stripe for WooCommerce WordPress plugin is missing a capability check on the save() function found in the ~/includes/admin/class-wc-stripe-admin-user-edit.php file that makes it possible for attackers to configure their account to use other site users unique STRIPE identifier and make purchases with their payment accounts. This affects versions 3.0.0 – 3.3.9.


Credova_Financial <= 1.4.8 Sensitive Information Disclosure

Affected Plugin: Credova_Financial
Plugin Slug: credova-financial
Affected Versions: <= 1.4.8
CVE ID: CVE-2021-39342
CVSS Score: 5.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Researcher/s: Marvin Santos
Fully Patched Version: 1.4.9
Recommended Remediation: Update to version 1.4.9, or newer.
Publication Date: 2021-09-29

The Credova_Financial WordPress plugin discloses a site’s associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled. This affects versions up to, and including, 1.4.8.


Countdown and CountUp, WooCommerce Sales Timers <= 1.5.7 Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Plugin: Countdown and CountUp, WooCommerce Sales Timers
Plugin Slug: countdown-wpdevart-extended
Affected Versions: <= 1.5.7
CVE ID: CVE-2021-34636
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Xu-Liang Liao
Fully Patched Version: 1.5.8
Recommended Remediation: Update to version 1.5.8, or newer.
Publication Date: 2021-09-27

The Countdown and CountUp, WooCommerce Sales Timers WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_theme function found in the ~/includes/admin/coundown_theme_page.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.7.


Ninja Forms <= 3.5.7 Unprotected REST-API to Email Injection

Affected Plugin: Ninja Forms 
Plugin Slug: ninja-forms
Affected Versions: <= 3.5.7
CVE ID: CVE-2021-34648
CVSS Score: 6.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.5.8
Recommended Remediation: Update to version 3.5.8, or newer.
Publication Date: 2021-09-22

The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the /ninja-forms-submissions/email-action REST API which can be used to socially engineer victims. Read more here.


Ninja Forms <= 3.5.7 Unprotected REST-API to Sensitive Information Disclosure

Affected Plugin: Ninja Forms 
Plugin Slug: ninja-forms
Affected Versions: <= 3.5.7
CVE ID: CVE-2021-34647
CVSS Score: 6.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.5.8
Recommended Remediation: Update to version 3.5.8, or newer.
Publication Date: 2021-09-22

The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via the /ninja-forms-submissions/export REST API which can include personally identifiable information. Read more here. 


Telefication <= 1.8.0 Open Relay and Server-Side Request Forgery

Affected Plugin: Telefication
Plugin Slug: telefication
Affected Versions: <= 1.8.0
CVE ID: CVE-2021-39339
CVSS Score: 5.8 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
Researcher/s: Marco Wotschka & Charles Strader Sweethill
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-21

The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0.


OptinMonster <= 2.6.0 Reflected Cross-Site Scripting

Affected Plugin: OptinMonster
Plugin Slug: optinmonster
Affected Versions: <= 2.6.0
CVE ID: CVE-2021-39325
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Mariia Aleksandrova
Fully Patched Version: 2.6.1
Recommended Remediation: Update to version 2.6.1, or newer.
Publication Date: 2021-09-20

The OptinMonster WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient input validation in the load_previews function found in the ~/OMAPI/Output.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.6.0.


 eID Easy <= 4.6 Reflected Cross-Site Scripting

Affected Plugin: eID Easy
Plugin Slug: smart-id
Affected Versions: <= 4.6
CVE ID: CVE-2021-34650
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: 4.7
Recommended Remediation: Update to version 4.7, or newer.
Publication Date: 2021-09-17

The eID Easy WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the error parameter found in the ~/admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.6.


BulletProof Security <= 5.1 Sensitive Information Disclosure

Affected Plugin: BulletProof Security
Plugin Slug: bulletproof-security
Affected Versions: <= 5.1
CVE ID: CVE-2021-39327
CVSS Score: 5.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Researcher/s: Vincent Rakotomanga
Fully Patched Version: 5.2
Recommended Remediation: Update to version 5.2, or newer.
Publication Date: 2021-09-16

The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This affects versions up to, and including, 5.1.


wp-publications <= 0.0 Local File Include

Affected Plugin: wp-publications
Plugin Slug: wp-publications
Affected Versions: <= 0.0
CVE ID: CVE-2021-38360
CVSS Score: 8.3 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The wp-publications WordPress plugin is vulnerable to restrictive local file inclusion via the Q_FILE parameter found in the ~/bibtexbrowser.php file which allows attackers to include local zip files and achieve remote code execution, in versions up to and including 0.0.


WordPress InviteBox Plugin for viral Refer-a-Friend Promotions <= 1.4.1 Reflected Cross-Site Scripting

Affected Plugin: WordPress InviteBox Plugin
Plugin Slug: refer-a-friend-widget-for-wp
Affected Versions: <= 1.4.1
CVE ID: CVE-2021-38359
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The WordPress InviteBox Plugin for viral Refer-a-Friend Promotions WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the message parameter found in the ~/admin/admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.1.


MoolaMojo <= 0.7.4.1 Reflected Cross-Site Scripting

Affected Plugin: MoolaMojo
Plugin Slug: moolamojo
Affected Versions: <= 0.7.4.1
CVE ID: CVE-2021-38358
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The MoolaMojo WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the classes parameter found in the ~/views/button-generator.html.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.4.1.


SMS OVH <= 0.1 Reflected Cross-Site Scripting

Affected Plugin: SMS OVH
Plugin Slug: sms-ovh
Affected Versions: <= 0.1
CVE ID: CVE-2021-38357
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The SMS OVH WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the position parameter found in the ~/sms-ovh-sent.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.1.


Bug Library <= 2.0.3 Reflected Cross-Site Scripting

Affected Plugin: Bug Library
Plugin Slug: bug-library
Affected Versions: <= 2.0.3
CVE ID: CVE-2021-38355
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The Bug Library WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the successimportcount parameter found in the ~/bug-library.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.3.


GNU-Mailman Integration <= 1.0.6 Reflected Cross-Site Scripting

Affected Plugin: GNU-Mailman Integration
Plugin Slug: gnu-mailman-integration
Affected Versions: <= 1.0.6
CVE ID: CVE-2021-38354
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The GNU-Mailman Integration WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the gm_error parameter found in the ~/includes/admin/mailing-lists-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.6.


Dropdown and scrollable Text <= 2.0 Reflected Cross-Site Scripting

Affected Plugin: Dropdown and scrollable Text
Plugin Slug: dropdown-and-scrollable-text
Affected Versions: <= 2.0
CVE ID: CVE-2021-38353
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The Dropdown and scrollable Text WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the content parameter found in the ~/index.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.


Feedify – Web Push Notifications <= 2.1.8 Reflected Cross-Site Scripting

Affected Plugin: Feedify – Web Push Notifications
Plugin Slug: push-notification-by-feedify
Affected Versions: <= 2.1.8
CVE ID: CVE-2021-38352
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The Feedify – Web Push Notifications WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the feedify_msg parameter found in the ~/includes/base.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.8.


OSD Subscribe <= 1.2.3 Reflected Cross-Site Scripting

Affected Plugin: OSD Subscribe
Plugin Slug: osd-subscribe
Affected Versions: <= 1.2.3
CVE ID: CVE-2021-38351
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The OSD Subscribe WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the osd_subscribe_message parameter found in the ~/options/osd_subscribe_options_subscribers.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2.3.


spideranalyse <= 0.0.1 Reflected Cross-Site Scripting

Affected Plugin: spideranalyse
Plugin Slug: spideranalyse
Affected Versions: <= 0.0.1
CVE ID: CVE-2021-38350
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The spideranalyse WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the date parameter found in the ~/analyse/index.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.1.


Integration of Moneybird for WooCommerce <= 2.1.1 Reflected Cross-Site Scripting

Affected Plugin: Integration of Moneybird for WooCommerce
Plugin Slug: woo-moneybird
Affected Versions: <= 2.1.1
CVE ID: CVE-2021-38349
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The Integration of Moneybird for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the error_description parameter found in the ~/templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1.


Advance Search <= 1.1.2 Reflected Cross-Site Scripting

Affected Plugin: Advance Search
Plugin Slug: advance-search
Affected Versions: <= 1.1.2
CVE ID: CVE-2021-38348
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The Advance Search WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the wpas_id parameter found in the ~/inc/admin/views/html-advance-search-admin-options.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.1.2.


Custom Website Data <= 2.2 Reflected Cross-Site Scripting

Affected Plugin: Custom Website Data
Plugin Slug: simple-custom-website-data
Affected Versions: <= 2.2
CVE ID: CVE-2021-38347
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The Custom Website Data WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter found in the ~/views/edit.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.2.


WooCommerce Payment Gateway Per Category <= 2.0.10 Reflected Cross-Site Scripting

Affected Plugin: WooCommerce Payment Gateway Per Category
Plugin Slug: wc-payment-gateway-per-category
Affected Versions: <= 2.0.10
CVE ID: CVE-2021-38341
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The WooCommerce Payment Gateway Per Category WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/includes/plugin_settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.10.


WordPress Simple Shop <= 1.2 Reflected Cross-Site Scripting

Affected Plugin: WordPress Simple Shop
Plugin Slug: webful-simple-grocery-shop
Affected Versions: <= 1.2
CVE ID: CVE-2021-38340
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The WordPress Simple Shop WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the update_row parameter found in the ~/includes/add_product.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2.


Simple Matted Thumbnails <= 1.01 Reflected Cross-Site Scripting

Affected Plugin: Simple Matted Thumbnails
Plugin Slug: simple-matted-thumbnails
Affected Versions: <= 1.01
CVE ID: CVE-2021-38339
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The Simple Matted Thumbnails WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/simple-matted-thumbnail.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.01.


Border Loading Bar <= 1.0.1 Reflected Cross-Site Scripting

Affected Plugin: Border Loading Bar
Plugin Slug: border-loading-bar
Affected Versions: <= 1.0.1
CVE ID: CVE-2021-38338
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The Border Loading Bar WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the f and t parameter found in the ~/titan-framework/iframe-googlefont-preview.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1.


RSVPMaker Excel <= 1.1 Reflected Cross-Site Scripting

Affected Plugin: RSVPMaker Excel
Plugin Slug: rsvpmaker-excel
Affected Versions: <= 1.1
CVE ID: CVE-2021-38337
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The RSVPMaker Excel WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/phpexcel/PHPExcel/Shared/JAMA/docs/download.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.1.


Edit Comments XT <= 1.0 Reflected Cross-Site Scripting

Affected Plugin: Edit Comments XT
Plugin Slug: edit-comments-xt
Affected Versions: <= 1.0
CVE ID: CVE-2021-38336
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The Edit Comments XT WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/edit-comments-xt.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.


Wise Agent Capture Forms <= 1.0 Reflected Cross-Site Scripting

Affected Plugin: Wise Agent Capture Forms
Plugin Slug: wiseagentleadform
Affected Versions: <= 1.0
CVE ID: CVE-2021-38335
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The Wise Agent Capture Forms WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/WiseAgentCaptureForm.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.


WP Design Maps & Places <= 1.2 Reflected Cross-Site Scripting

Affected Plugin: WP Design Maps & Places
Plugin Slug: wp-design-maps-places
Affected Versions: <= 1.2
CVE ID: CVE-2021-38334
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The WP Design Maps & Places WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the filename parameter found in the ~/wpdmp-admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2.


WP Scrippets <= 1.5.1 Reflected Cross-Site Scripting

Affected Plugin: WP Scrippets
Plugin Slug: wp-scrippets
Affected Versions: <= 1.5.1
CVE ID: CVE-2021-38333
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The WP Scrippets WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/wp-scrippets.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.1.


On Page SEO + Whatsapp Chat Button <= 1.0.1 Reflected Cross-Site Scripting

Affected Plugin: On Page SEO + Whatsapp Chat Button
Plugin Slug: ops-robots-txt
Affected Versions: <= 1.0.1
CVE ID: CVE-2021-38332
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The On Page SEO + Whatsapp Chat Button Plugin WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1.


WP-T-Wap <= 1.13.2 Reflected Cross-Site Scripting

Affected Plugin: WP-T-Wap
Plugin Slug: wp-t-wap
Affected Versions: <= 1.13.2
CVE ID: CVE-2021-38331
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The WP-T-Wap WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the posted parameter found in the ~/wap/writer.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.13.2.


Yet Another bol.com Plugin <= 1.4 Reflected Cross-Site Scripting

Affected Plugin: Yet Another bol.com Plugin
Plugin Slug: yabp
Affected Versions: <= 1.4
CVE ID: CVE-2021-38330
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The Yet Another bol.com Plugin WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/yabp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.


DJ EmailPublish <= 1.7.2 Reflected Cross-Site Scripting

Affected Plugin: DJ EmailPublish
Plugin Slug: dj-email-publish
Affected Versions: <= 1.7.2
CVE ID: CVE-2021-38329
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The DJ EmailPublish WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/dj-email-publish.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.7.2.


Notices <= 6.1 Reflected Cross-Site Scripting

Affected Plugin: Notices
Plugin Slug: notices
Affected Versions: <= 6.1
CVE ID: CVE-2021-38328
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The Notices WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/notices.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 6.1.


YouTube Video Inserter <= 1.2.1.0 Reflected Cross-Site Scripting

Affected Plugin: YouTube Video Inserter
Plugin Slug: youtube-video-inserter
Affected Versions: <= 1.2.1.0
CVE ID: CVE-2021-38327
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The YouTube Video Inserter WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/adminUI/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2.1.0.


Post Title Counter <= 1.1 Reflected Cross-Site Scripting

Affected Plugin: Post Title Counter
Plugin Slug: post-title-counter
Affected Versions: <= 1.1
CVE ID: CVE-2021-38326
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-09

The Post Title Counter WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the notice parameter found in the ~/post-title-counter.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.1.


User Activation Email <= 1.3.0 Reflected Cross-Site Scripting

Affected Plugin: User Activation Email
Plugin Slug: user-activation-email
Affected Versions: <= 1.3.0
CVE ID: CVE-2021-38325
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08

The User Activation Email WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the uae-key parameter found in the ~/user-activation-email.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.3.0.


SP Rental Manager <= 1.5.3 Unauthenticated SQL Injection

Affected Plugin: SP Rental Manager
Plugin Slug: sp-rental-manager
Affected Versions: <= 1.5.3
CVE ID: CVE-2021-38324
CVSS Score: 8.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08

The SP Rental Manager WordPress plugin is vulnerable to SQL Injection via the orderby parameter found in the ~/user/shortcodes.php file which allows attackers to retrieve information contained in a site’s database, in versions up to and including 1.5.3.


RentPress <= 6.6.4 Reflected Cross-Site Scripting

Affected Plugin: RentPress
Plugin Slug: rentpress
Affected Versions: <= 6.6.4
CVE ID: CVE-2021-38323
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08

The RentPress WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the selections parameter found in the ~/src/rentPress/AjaxRequests.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 6.6.4.


Twitter Friends Widget <= 3.1 Reflected Cross-Site Scripting

Affected Plugin: Twitter Friends Widget
Plugin Slug: twitter-friends-widget
Affected Versions: <= 3.1
CVE ID: CVE-2021-38322
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08

The Twitter Friends Widget WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the pmc_TF_user and pmc_TF_password parameter found in the ~/twitter-friends-widget.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.1.


Custom Menu Plugin <= 1.3.3 Reflected Cross-Site Scripting

Affected Plugin: Custom Menu Plugin
Plugin Slug: custom-sub-menus
Affected Versions: <= 1.3.3
CVE ID: CVE-2021-38321
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08

The Custom Menu Plugin WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the selected_menu parameter found in the ~/custom-menus.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.3.3.


simpleSAMLphp Authentication <= 0.7.0 Reflected Cross-Site Scripting

Affected Plugin: simpleSAMLphp Authentication
Plugin Slug: simplesamlphp-authentication
Affected Versions: <= 0.7.0
CVE ID: CVE-2021-38320
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08

The simpleSAMLphp Authentication WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/simplesamlphp-authentication.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.0.


More From Google <= 0.0.2 Reflected Cross-Site Scripting

Affected Plugin: More From Google
Plugin Slug: more-from-google
Affected Versions: <= 0.0.2
CVE ID: CVE-2021-38319
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08

The More From Google WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/morefromgoogle.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.2.


3D Cover Carousel <= 1.0 Reflected Cross-Site Scripting

Affected Plugin: 3D Cover Carousel
Plugin Slug: 3d-cover-carousel
Affected Versions: <= 1.0
CVE ID: CVE-2021-38318
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08

The 3D Cover Carousel WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter in the ~/cover-carousel.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.


Konnichiwa! Membership <= 0.8.3 Reflected Cross-Site Scripting

Affected Plugin: Konnichiwa! Membership
Plugin Slug: konnichiwa
Affected Versions: <= 0.8.3
CVE ID: CVE-2021-38317
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08

The Konnichiwa! Membership WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the plan_id parameter in the ~/views/subscriptions.html.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.8.3.


WP Academic People List <= 0.4.1 Reflected Cross-Site Scripting

Affected Plugin: WP Academic People List
Plugin Slug: wp-academic-people
Affected Versions: <= 0.4.1
CVE ID: CVE-2021-38316
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-09-08

The WP Academic People List WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the category_name parameter in the ~/admin-panel.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.4.1.


Gutenberg Template Library & Redux Framework <= 4.2.11 Sensitive Information Disclosure

Affected Plugin: Gutenberg Template Library & Redux Framework
Plugin Slug: redux-framework
Affected Versions: <= 4.2.11
CVE ID: CVE-2021-38314
CVSS Score: 5.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Researcher/s: Ram Gall
Fully Patched Version: 4.2.13
Recommended Remediation: Update to version 4.2.13, or newer.
Publication Date: 2021-09-01

The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the includes function in redux-core/class-redux-core.php that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of ‘-redux’ and an md5 hash of the previous hash with a known salt value of ‘-support’. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site’s PHP version, and an unsalted md5 hash of site’s AUTH_KEY concatenated with the SECURE_AUTH_KEY. Read More Here.


Gutenberg Template Library & Redux Framework <= 4.2.11 Incorrect Authorization Check to Arbitrary Plugin Installation and Post Deletion

Affected Plugin: Gutenberg Template Library & Redux Framework
Plugin Slug: redux-framework
Affected Versions: <= 4.2.11
CVE ID: CVE-2021-38312
CVSS Score: 7.1 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Researcher/s: Ram Gall
Fully Patched Version: 4.2.13
Recommended Remediation: Update to version 4.2.13, or newer.
Publication Date: 2021-09-01

The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress used an incorrect authorization check in the REST API endpoints registered under the “redux/v1/templates/” REST Route in “redux-templates/classes/class-api.php”. The permissions_callback used in this file only checked for the edit_posts capability which is granted to lower-privileged users such as contributors, allowing such users to install arbitrary plugins from the WordPress repository and edit arbitrary posts. Read More Here.


Easy Social Icons <= 3.0.8 – Reflected Cross-Site Scripting

Affected Plugin: Easy Social Icons
Plugin Slug:  easy-social-icons
Affected Versions: <= 3.0.8
CVE ID: CVE-2021-39322
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Ram Gall
Fully Patched Version: 3.0.9
Recommended Remediation: Update to version 3.0.9, or newer.
Publication Date: 2021-09-01

The Easy Social Icons plugin <= 3.0.8 for WordPress echoes out the raw value of $_SERVER['PHP_SELF'] in its main file. On certain configurations including Apache+modPHP this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path.


underConstruction <= 1.18 – Reflected Cross-Site Scripting

Affected Plugin: underConstruction
Plugin Slug: underconstruction
Affected Versions: <= 1.18
CVE ID: CVE-2021-39320
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Ram Gall
Fully Patched Version: 1.19
Recommended Remediation: Update to version 1.19, or newer.
Publication Date: 2021-08-31

The underConstruction plugin <= 1.18 for WordPress echoes out the raw value of $GLOBALS['PHP_SELF'] in the ucOptions.php file. On certain configurations including Apache+modPHP, this makes it possible to use it to perform a reflected Cross-Site Scripting attack by injecting malicious code in the request path.


DZS Zoomsounds <= 6.45 Unauthenticated Directory Traversal

Affected Plugin: DZS Zoomsounds
Plugin Slug: dzs-zoomsounds
Affected Versions: <= 6.45
CVE ID: CVE-2021-39316
CVSS Score: 7.5 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Researcher/s: DigitalJessica Ltd
Fully Patched Version: 6.50
Recommended Remediation: Update to version 6.50 or newer.
Publication Date: 2021-08-30

The Zoomsounds plugin <= 6.45 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the dzsap_download action using directory traversal in the link parameter.


Nested Pages <= 3.1.15 Open Redirect

Affected Plugin: Nested Pages
Plugin Slug: wp-nested-pages
Affected Versions: <= 3.1.15
CVE ID: CVE-2021-38343
CVSS Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Researcher/s: Ram Gall
Fully Patched Version: 3.1.16
Recommended Remediation: Update to version 3.1.16 or newer.
Publication Date: 2021-08-25

The Nested Pages WordPress plugin <= 3.1.15 was vulnerable to an Open Redirect via the page POST parameter in the npBulkActionsnpBulkEditnpListingSort, and npCategoryFilter admin_post actions. Read more here.


Nested Pages <= 3.1.15 Cross-Site Request Forgery to Arbitrary Post Deletion and Modification

Affected Plugin: Nested Pages
Plugin Slug: wp-nested-pages
Affected Versions: <= 3.1.15
CVE ID: CVE-2021-38342
CVSS Score: 7.1 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Researcher/s: Ram Gall
Fully Patched Version: 3.1.16
Recommended Remediation: Update to version 3.1.16 or newer.
Publication Date: 2021-08-25

The Nested Pages WordPress plugin <= 3.1.15 was vulnerable to Cross-Site Request Forgery via the npBulkActions and npBulkEdit admin_post actions, which allowed attackers to trash or permanently purge arbitrary posts as well as changing their status, reassigning their ownership, and editing other metadata. Read more here.


WordPress Real Media Library <= 4.14.1 Author-only Stored Cross-Site Scripting

Affected Plugin: WordPress Real Media Library
Plugin Slug: real-media-library-lite
Affected Versions: <= 4.14.1
CVE ID: CVE-2021-34668
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: 4.14.2
Recommended Remediation: Update to version 4.14.2 or newer.
Publication Date: 2021-08-25

The WordPress Real Media Library WordPress plugin is vulnerable to Stored Cross-Site Scripting via the name parameter in the ~/inc/overrides/lite/rest/Folder.php file which allows author-level attackers to inject arbitrary web scripts in folder names, in versions up to and including 4.14.1.


Booster for WooCommerce <= 5.4.3 Authentication Bypass

Affected Plugin: Booster For WooCommerce
Plugin Slug: woocommerce-jetpack
Affected Versions: <= 5.4.3
CVE ID: CVE-2021-34646
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 5.4.4
Recommended Remediation: Update to version 5.4.4 or newer.
Publication Date: 2021-08-24

Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token generation weakness in the reset_and_mail_activation_link function found in the ~/includes/class-wcj-emails-verification.php file. This allows attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. This requires the Email Verification module to be active in the plugin and the Login User After Successful Verification setting to be enabled, which it is by default. Read more here.


Shopping Cart & eCommerce Store <= 5.1.0 Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Plugin: Shopping Cart & eCommerce Store
Plugin Slug: wp-easycart
Affected Versions: <= 5.1.0
CVE ID: CVE-2021-34645
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Xu-Liang Liao
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-18

The Shopping Cart & eCommerce Store WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_currency_settings function found in the ~/admin/inc/wp_easycart_admin_initial_setup.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 5.1.0.


SP Project & Document Manager <= 4.25 Attribute-based Reflected Cross-Site Scripting

Affected Plugin: SP Project & Document Manager
Plugin Slug: sp-client-document-manager
Affected Versions: <= 4.25
CVE ID: CVE-2021-38315
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Thinkland Security Team
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-16

The SP Project & Document Manager WordPress plugin is vulnerable to attribute-based Reflected Cross-Site Scripting via the from and to parameters in the ~/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.25.


SEOPress 5.0.0 – 5.0.3 Authenticated Stored Cross-Site Scripting

Affected Plugin: SEOPress
Plugin Slug: wp-seopress
Affected Versions: 5.0.0 – 5.0.3
CVE ID: CVE-2021-34641
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Chloe Chamberland
Fully Patched Version: 5.0.4
Recommended Remediation: Update to version 5.0.4 or newer.
Publication Date: 2021-08-16

The SEOPress WordPress plugin is vulnerable to Stored Cross-Site-Scripting via the processPut function found in the ~/src/Actions/Api/TitleDescriptionMeta.php file which allows authenticated attackers to inject arbitrary web scripts, in versions 5.0.0 – 5.0.3. Read more here.


Calendar_plugin <= 1.0 Reflected Cross-Site Scripting

Affected Plugin: Calendar_plugin
Plugin Slug: calendar-plugin
Affected Versions: <= 1.0
CVE ID: CVE-2021-34667
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13

The Calendar_plugin WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/calendar.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.


Add Sidebar <= 2.0.0 Reflected Cross-Site Scripting

Affected Plugin: Add Sidebar
Plugin Slug: sidebar-adder
Affected Versions: <= 2.0.0
CVE ID: CVE-2021-34666
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13

The Add Sidebar WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the add parameter in the ~/wp_sidebarMenu.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.0.


 WP SEO Tags <= 2.2.7 Reflected Cross-Site Scripting

Affected Plugin:  WP SEO Tags
Plugin Slug: wp-seo-tags
Affected Versions: <= 2.2.7
CVE ID: CVE-2021-34665
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13

The WP SEO Tags WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the saq_txt_the_filter parameter in the ~/wp-seo-tags.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.2.7.


Moova for WooCommerce <= 3.5 Reflected Cross-Site Scripting

Affected Plugin: Moova for WooCommerce
Plugin Slug: moova-for-woocommerce
Affected Versions: <= 3.5
CVE ID: CVE-2021-34664
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13

The Moova for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the lat parameter in the ~/Checkout/Checkout.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.5.


jQuery Tagline Rotator <= 0.1.5 Reflected Cross-Site Scripting

Affected Plugin: jQuery Tagline Rotator
Plugin Slug:  jquery-tagline-rotator
Affected Versions: <= 0.1.5
CVE ID: CVE-2021-34663
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13

The jQuery Tagline Rotator WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/jquery-tagline-rotator.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.1.5.


Plugmatter Pricing Table Lite <= 1.0.32 Reflected Cross-Site Scripting

Affected Plugin: Plugmatter Pricing Table Lite
Plugin Slug: plugmatter-pricing-table
Affected Versions: <= 1.0.32
CVE ID: CVE-2021-34659
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13

The Plugmatter Pricing Table Lite WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the email parameter in the ~/license.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.32.


 Simple Popup Newsletter <= 1.4.7 Reflected Cross-Site Scripting

Affected Plugin: Simple Popup Newsletter
Plugin Slug: simple-popup-newsletter
Affected Versions: <= 1.4.7
CVE ID: CVE-2021-34658
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13

The Simple Popup Newsletter WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/simple-popup-newsletter.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.7.


TypoFR <= 0.11 Reflected Cross-Site Scripting

Affected Plugin: TypoFR
Plugin Slug:  typofr
Affected Versions: <= 0.11
CVE ID: CVE-2021-34657
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13

The 2TypoFR WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the text function found in the ~/vendor/Org_Heigl/Hyphenator/index.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.11.


WP Songbook <= 2.0.11 Reflected Cross-Site Scripting

Affected Plugin: WP Songbook
Plugin Slug: wp-songbook
Affected Versions: <= 2.0.11
CVE ID: CVE-2021-34655
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13

The WP Songbook WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the url parameter found in the ~/inc/class.ajax.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.11.


Custom Post Type Relations <= 1.0 Reflected Cross-Site Scripting

Affected Plugin: Custom Post Type Relations
Plugin Slug: custom-post-type-relations
Affected Versions: <= 1.0
CVE ID: CVE-2021-34654
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13

The Custom Post Type Relations WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the cptr[name] parameter found in the ~/pages/admin-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.


2Way VideoCalls and Random Chat – HTML5 Webcam Videochat <= 5.2.7 Reflected Cross-Site Scripting

Affected Plugin: 2Way VideoCalls and Random Chat – HTML5 Webcam Videochat
Plugin Slug: webcam-2way-videochat
Affected Versions: <= 5.2.7
CVE ID: CVE-2021-34656
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13

The 2Way VideoCalls and Random Chat – HTML5 Webcam Videochat WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the vws_notice function found in the ~/inc/requirements.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 5.2.7.


WP Fountain <= 1.5.9 Reflected Cross-Site Scripting

Affected Plugin:WP Fountain
Plugin Slug: wp-fountain
Affected Versions: <= 1.5.9
CVE ID: CVE-2021-34653
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13

The WP Fountain WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/wp-fountain.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.9.


Media Usage <= 0.0.4 Reflected Cross-Site Scripting

Affected Plugin:Media Usage
Plugin Slug: media-usage
Affected Versions: <= 0.0.4
CVE ID: CVE-2021-34652
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13

The Media Usage WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter in the ~/mmu_admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.4.


Scribble Maps <= 1.2 Reflected Cross-Site Scripting

Affected Plugin: Scribble Maps
Plugin Slug: scribble-maps
Affected Versions: <= 1.2
CVE ID: CVE-2021-34651
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13

The Scribble Maps WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the map parameter in the ~/includes/admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2.


Simple Behance Portfolio <= 0.2 Reflected Cross-Site Scripting

Affected Plugin: Simple Behance Portfolio
Plugin Slug: simple-behace-portfolio
Affected Versions: <= 0.2
CVE ID: CVE-2021-34649
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13

The Simple Behance Portfolio WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the dark parameter in the ~/titan-framework/iframe-font-preview.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.2.


Multiplayer Games <= 3.7 Reflected Cross-Site Scripting

Affected Plugin:Multiplayer Games
Plugin Slug: multiplayer-plugin
Affected Versions: <= 3.7
CVE ID: CVE-2021-34644
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13

The Multiplayer Games WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/multiplayergames.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.7.


Skaut bazar <= 1.3.2 Reflected Cross-Site Scripting

Affected Plugin: Skaut bazar
Plugin Slug: skaut-bazar
Affected Versions: <= 1.3.2
CVE ID: CVE-2021-34643
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13

The Skaut bazar WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/skaut-bazar.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.3.2.


Smart Email Alerts <= 1.0.10 Reflected Cross-Site Scripting

Affected Plugin: Smart Email Alerts
Plugin Slug: smart-email-alerts
Affected Versions: <= 1.0.10
CVE ID: CVE-2021-34642
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-13

The Smart Email Alerts WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the api_key in the ~/views/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.10.


Securimage-WP-Fixed <= 3.5.4  – Reflected Cross-Site Scripting

Affected Plugin: Securimage-WP-Fixed
Plugin Slug: securimage-wp-fixed
Affected Versions: <= 3.5.4
CVE ID: CVE-2021-34640
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: p7e4
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-08-11

The Securimage-WP-Fixed WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/securimage-wp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.5.4.


WP Fusion Lite <= 3.37.18 – Cross-Site Request Forgery to Data Deletion

Affected Plugin: WP Fusion Lite
Plugin Slug: wp-fusion-lite
Affected Versions: <= 3.37.18
CVE ID: CVE-2021-34661
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
Researcher/s: Xu-Liang Liao
Fully Patched Version: 3.37.30
Recommended Remediation: Update to version 3.37.30, or newer.
Publication Date: 2021-08-06

The WP Fusion Lite WordPress plugin is vulnerable to Cross-Site Request Forgery via the show_logs_section function found in the ~/includes/admin/logging/class-log-handler.php file which allows attackers to drop all logs for the plugin, in versions up to and including 3.37.18.


WP Fusion Lite <= 3.37.18 – Reflected Cross-Site Scripting

Affected Plugin: WP Fusion Lite
Plugin Slug: wp-fusion-lite
Affected Versions: <= 3.37.18
CVE ID: CVE-2021-34660
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Xu-Liang Liao
Fully Patched Version: 3.37.30
Recommended Remediation: Update to version 3.37.30, or newer.
Publication Date: 2021-08-06

The WP Fusion Lite WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the startdate parameter found in the ~/includes/admin/logging/class-log-table-list.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.37.18.


Nifty Newsletters <= 4.0.23 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Plugin: Nifty Newsletters
Plugin Slug: sola-newsletters
Affected Versions: <= 4.0.23
CVE ID: CVE-2021-34634
CVSS Score: 8.8(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Kohei Hino, Cryptography Laboratory in Tokyo Denki University
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-07-30

The Nifty Newsletters WordPress plugin is vulnerable to Cross-Site Request Forgery via the sola_nl_wp_head function found in the ~/sola-newsletters.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.23.


Youtube Feeder <= 2.0.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Plugin: Youtube Feeder
Plugin Slug: youtube-feeder
Affected Versions: <= 2.0.1
CVE ID: CVE-2021-34633
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Kohei Hino, Cryptography Laboratory in Tokyo Denki University
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall Plugin.
Publication Date: 2021-07-30

The Youtube Feeder WordPress plugin is vulnerable to Cross-Site Request Forgery via the printAdminPage function found in the ~/youtube-feeder.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.1.


WordPress Download Manager <= 3.1.24 Authenticated Arbitrary File Upload

Affected Plugin: WordPress Download Manager
Plugin Slug: download-manager
Affected Versions: <= 3.1.24
CVE ID: CVE-2021-34639
CVSS Score: 7.5 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Ramuel Gall
Fully Patched Version: 3.1.25
Recommended Remediation: Update to version 3.1.25 or newer.
Publication Date: 2021-07-29

Authenticated Arbitrary File Upload in WordPress Download Manager <= 3.1.24 allows authenticated (Author+) users to upload files with a double extension, e.g. “payload.php.png”. The destination folder is protected by an .htaccess file so most configurations are not vulnerable. Read more here.


WordPress Download Manager <= 3.1.24 Authenticated Directory Traversal

Affected Plugin:WordPress Download Manager
Plugin Slug: download-manager
Affected Versions: <= 3.1.24
CVE ID: CVE-2021-34638
CVSS Score: 6.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 3.1.25
Recommended Remediation: Update to version 3.1.25 or newer.
Publication Date: 2021-07-29

Authenticated Directory Traversal in WordPress Download Manager <= 3.1.24 allows authenticated (Contributor+) users to obtain sensitive configuration file information, as well as allowing Author+ users to perform XSS attacks by setting Download template to an uploaded JavaScript with an image extension. Read more here.


Post Index <= 0.7.5 Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Plugin: Post Index
Plugin Slug: post-index
Affected Versions: <= 0.7.5
CVE ID: CVE-2021-34637
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Kentaro Kuroki, Cryptography Laboratory in Tokyo Denki University
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.
Publication Date: 2021-07-26

The Post Index WordPress plugin is vulnerable to Cross-Site Request Forgery via the OptionsPage function found in the ~/php/settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.7.5.


Poll Maker <= 3.2.8 – Reflected Cross-Site Scripting

Affected Plugin: Poll Maker
Plugin Slug: poll-maker
Affected Versions: <=3.2.8
CVE ID: CVE-2021-34635
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s:  Xu-Liang Liao
Fully Patched Version: 3.2.9
Recommended Remediation: Update to version 3.2.9 or newer.
Publication Date: 2021-07-26

The Poll Maker WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the mcount parameter found in the ~/admin/partials/settings/poll-maker-settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.8.


SEO Backlinks <= 4.0.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Plugin: SEO Backlinks
Plugin Slug: seo-backlinks
Affected Versions: <= 4.0.1
CVE ID: CVE-2021-34632
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Takahiro Yamashita, Cryptography Laboratory in Tokyo Denki University
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.
Publication Date: 2021-07-26

The SEO Backlinks WordPress plugin is vulnerable to Cross-Site Request Forgery via the loc_config function found in the ~/seo-backlinks.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 4.0.1.


Admin Custom Login <= 3.2.7 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Plugin: Admin Custom Login
Plugin Slug: admin-custom-login
Affected Versions: <= 3.2.7
CVE ID: CVE-2021-34628
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Ryoma Nishioka, Cryptography Laboratory in Tokyo Denki University
Fully Patched Version: 3.2.8
Recommended Remediation: Update to version 3.2.8 or newer.
Publication Date: 2021-07-26

The Admin Custom Login WordPress plugin is vulnerable to Cross-Site Request Forgery due to the loginbgSave action found in the ~/includes/Login-form-setting/Login-form-background.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.7.


GTranslate <= 2.8.64 – Reflected Cross-Site Scripting

Affected Plugin: GTranslate
Plugin Slug: gtranslate
Affected Versions: <= 2.8.64
CVE ID: CVE-2021-34630
CVSS Score: 5.0 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Researcher/s: N/A
Fully Patched Version: 2.8.65
Recommended Remediation: Update to the latest version available.
Publication Date: 2021-07-23

In the Pro and Enterprise versions of GTranslate < 2.8.65, the gtranslate_request_uri_var function runs at the top of all pages and echoes out the contents of $_SERVER['REQUEST_URI']. Although this uses addslashes, and most modern browsers automatically URLencode requests, this plugin is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below, or in cases where an attacker is able to modify the request en route between the client and the server, or in cases where the user is using an atypical browsing solution.


NewsPlugin <= 1.0.18 – Cross-Site Request Forgery to Stored Cross-Site Scripting

Affected Plugin: NewsPlugin
Plugin Slug: newsplugin
Affected Versions: <= 1.0.18
CVE ID: CVE-2021-34631
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Taichi Ichimura, Cryptography Laboratory in Tokyo Denki University
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.
Publication Date: 2021-07-21

The NewsPlugin WordPress plugin is vulnerable to Cross-Site Request Forgery via the handle_save_style function found in the ~/news-plugin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.18.


SendGrid <= 1.11.8 – Authorization Bypass

Affected Plugin: SendGrid
Plugin Slug: sendgrid-email-delivery-simplified
Affected Versions: <= 1.11.8
CVE ID: CVE-2021-34629
CVSS Score: 4.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Researcher/s: Prashant Baldha
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.
Publication Date: 2021-07-21

The SendGrid WordPress plugin is vulnerable to authorization bypass via the get_ajax_statistics function found in the ~/lib/class-sendgrid-statistics.php file which allows authenticated users to export statistics for a WordPress multi-site main site, in versions up to and including 1.11.8. This vulnerability only affects the main site of WordPress multi-site installations.


WP Upload Restriction <= 2.2.3 – Authenticated Stored Cross-Site Scripting

Affected Plugin: WP Upload Restriction
Plugin Slug: wp-upload-restriction
Affected Versions: <= 2.2.3
CVE ID: CVE-2021-34625
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Angelo Righi
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.

Missing Access Control in the saveCustomType function allows for authenticated users, such as subscribers, to add mime types and extensions through unsanitized parameters that makes it possible to inject malicious web scripts that later execute when an administrator visits the extensions page.


WP Upload Restriction <= 2.2.3 – Missing Access Control in deleteCustomType function

Affected Plugin: WP Upload Restriction
Plugin Slug: wp-upload-restriction
Affected Versions: <= 2.2.3
CVE ID: CVE-2021-34626
CVSS Score: 4.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Researcher/s: N/A
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.

Missing access control in deleteCustomType function allows authenticated users, such as subscribers, to delete custom extensions.


WP Upload Restriction <= 2.2.3 – Missing Access Control in getSelectedMimeTypesByRole function

Affected Plugin: WP Upload Restriction
Plugin Slug: wp-upload-restriction
Affected Versions: <= 2.2.3
CVE ID: CVE-2021-34627
CVSS Score: 4.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Researcher/s: N/A
Fully Patched Version: No patch available, plugin closed for download.
Recommended Remediation: Uninstall plugin.

Missing access control in getSelectedMimeTypesByRole function allows authenticated users, such as subscribers, to retrieve approved mime types for any given role.


ProfilePress 3.0 – 3.1.3 – Unauthenticated Privilege Escalation

Affected Plugin: User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar)
Plugin Slug: wp-user-avatar
Affected Versions: 3.0 – 3.1.3
CVE ID: CVE-2021-34621
CVSS Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.1.4
Recommended Remediation: Update to version 3.1.4 or newer

During user registration, users could supply arbitrary user meta data that would get updated during the registration process making it possible for anyone to register as an administrator. More details.


ProfilePress 3.0 – 3.1.3 – Authenticated Privilege Escalation

Affected Plugin: User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar)
Plugin Slug: wp-user-avatar
Affected Versions: 3.0 – 3.1.3
CVE ID: CVE-2021-34622
CVSS Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.1.4
Recommended Remediation: Update to version 3.1.4 or newer

During user profile updates, users could supply arbitrary user meta data that would get updated making it possible for anyone to escalate their privileges to that of an administrator. More details.


ProfilePress 3.0 – 3.1.3 – Arbitrary File Upload in Image Uploader Component

Affected Plugin: User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar)
Plugin Slug: wp-user-avatar
Affected Versions: 3.0 – 3.1.3
CVE ID: CVE-2021-34623
CVSS Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.1.4
Recommended Remediation: Update to version 3.1.4 or newer

The image uploader component used to upload profile photos and user cover photos was vulnerable to arbitrary file uploads due to insufficient file type validation. More details.


ProfilePress 3.0 – 3.1.3 – Arbitrary File Upload in File Uploader Component

Affected Plugin: User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar)
Plugin Slug: wp-user-avatar
Affected Versions: 3.0- 3.1.3
CVE ID: CVE-2021-34624
CVSS Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.1.4
Recommended Remediation: Update to version 3.1.4 or newer

The file uploader component used to upload files during registration was vulnerable to arbitrary file uploads due to insufficient file type validation. More details.


WP Fluent Forms <= 3.6.65 – CSRF to Stored XSS

Affected Plugin: WP Fluent Forms
Plugin Slug: fluentform
Affected Versions: < 3.6.67
CVE ID: CVE-2021-34620
CVSS Score: 7.1 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Researcher/s: Ramuel Gall
Fully Patched Version: 3.6.67
Recommended Remediation: Update to version 3.6.67 or newer.

This plugin is vulnerable to Cross-Site Request Forgery leading to stored Cross-Site Scripting and limited Privilege Escalation due to a missing nonce check in the access control function for administrative AJAX actions. More details.


Woocommerce Stock Manager <= 2.5.7 – CSRF to Arbitrary File Upload

Affected Plugin: WooCommerce Stock Manager
Plugin Slug: woocommerce-stock-manager
Affected Versions: <= 2.5.7
CVE ID: CVE-2021-34619
CVSS Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 2.6.0
Recommended Remediation: Update to version 2.6.0 or newer.

This plugin is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Upload due to missing nonce and file validation in the /woocommerce-stock-manager/trunk/admin/views/import-export.php file. More details.