When the WordPress ecosystem breaks, businesses end up paying the price.

Ecwid by Lightspeed Ecommerce Shopping Cart <= 7.0.7 - Authenticated (Subscriber+) Privilege Escalation via ec_store_admin_access CVSS 8.8

Ecwid by Lightspeed Ecommerce Shopping Cart

Spam protection, Honeypot, Anti-Spam by CleanTalk <= 6.71 - Authorization Bypass via Reverse DNS (PTR record) Spoofing to Unauthenticated Arbitrary Plugin Installation CVSS 9.8

Spam protection, Honeypot, Anti-Spam by CleanTalk

Truelysell Core <= 1.8.7 - Unauthenticated Privilege Escalation via Registration CVSS 9.8

Truelysell Core

Super Page Cache <= 5.2.2 - Unauthenticated Stored Cross-Site Scripting via Activity Log CVSS 7.2

Super Page Cache

midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload via 'export' AJAX Action CVSS 9.8

midi-Synth

User Language Switch <= 1.6.10 - Authenticated (Administrator+) Server-Side Request Forgery via 'info_language' Parameter CVSS 7.2

User Language Switch

Super Simple Contact Form <= 1.6.2 - Reflected Cross-Site Scripting via 'sscf_name' Parameter CVSS 7.2

Super Simple Contact Form

Flexi Product Slider and Grid for WooCommerce <= 1.0.5 - Authenticated (Contributor+) Local File Inclusion via 'theme' Shortcode Attribute CVSS 7.5

Flexi Product Slider and Grid for WooCommerce

SureForms – Drag and Drop Form Builder for WordPress <= 2.2.1 - Unauthenticated Stripe Payment Amount Manipulation CVSS 7.5

SureForms – Contact Form, Payment Form & Other Custom Form Builder

PhotoStack Gallery <= 0.4.1 - Unauthenticated SQL Injection via 'postid' Parameter CVSS 7.5

PhotoStack Gallery

JAY Login & Register <= 2.6.03 - Authenticated (Subscriber+) Privilege Escalation via jay_panel_ajax_update_profile CVSS 8.8

JAY Login & Register

JAY Login & Register <= 2.6.03 - Unauthenticated Privilege Escalation via jay_login_register_ajax_create_final_user CVSS 9.8

JAY Login & Register

WP Duplicate <= 1.1.8 - Authenticated (Subscriber+) Arbitrary File Upload via 'process_add_site' AJAX Action CVSS 9.8

WP Duplicate – WordPress Migration Plugin

All In One Image Viewer Block <= 1.0.2 - Unauthenticated Server-Side Request Forgery via image-proxy Endpoint CVSS 7.2

All In One Image Viewer Block – Gutenberg block to create image viewer with hyperlink

Popup builder with Gamification <= 2.2.0 - Unauthenticated SQL Injection via Multiple REST API Endpoints CVSS 8.2

Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers

SportsPress <= 2.7.26 - Authenticated (Contributor+) Local File Inclusion via Shortcode CVSS 8.8

SportsPress – Sports Club & League Manager

Infility Global <= 2.14.46 - Unauthenticated SQL Injection via Predictable API Key and IP Whitelist Bypass CVSS 7.5

Infility Global

SEO Flow by LupsOnline <= 2.2.1 - Unauthenticated Arbitrary Post/Category Modification CVSS 7.5

SEO Flow by LupsOnline

WP FOFT Loader <= 2.1.39 - Authenticated (Author+) Arbitrary File Upload CVSS 8.8

WP FOFT Loader

OS DataHub Maps <= 1.8.3 - Authenticated (Author+) Arbitrary File Upload CVSS 8.8

OS DataHub Maps