Published : 2024-11-30 Title: WordPress WordPress Portfolio Builder – Portfolio Gallery plugin <= 1.1.7 – Cross Site Scripting (XSS) vulnerability Description Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Portfoliohub WordPress Portfolio Builder – Portfolio Gallery allows Stored XSS.This issue affects WordPress Portfolio Builder – Portfolio Gallery: from n/a through 1.1.7. CWE CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CVSS Score Severity Version Vector String 5.9 MEDIUM 3.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L Vendor : n/a Product: WordPress Portfolio Builder – Portfolio Gallery Vulnerable Versions: n/a through 1.1.7 Proof of Concept: Vulnerability found by: DFEND Security Researcher References: – https://patchstack.com/database/wordpress/plugin/uber-grid/vulnerability/wordpress-wordpress-portfolio-builder-portfolio-gallery-plugin-1-1-7-cross-site-scripting-xss-vulnerability-2?_s_id=cve– https://www.cve.org/CVERecord?id=CVE-2024-53788

Published : 2024-11-30 Title: WordPress Ni WooCommerce Cost Of Goods plugin <= 3.2.8 – SQL Injection vulnerability Description Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Anzia Ni WooCommerce Cost Of Goods allows SQL Injection.This issue affects Ni WooCommerce Cost Of Goods: from n/a through 3.2.8. CWE CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CVSS Score Severity Version Vector String 7.6 HIGH 3.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L Vendor : n/a Product: Ni WooCommerce Cost Of Goods Vulnerable Versions: n/a through 3.2.8 Proof of Concept: Vulnerability found by: DFEND Security Researcher References: – https://patchstack.com/database/wordpress/plugin/ni-woocommerce-cost-of-goods/vulnerability/wordpress-ni-woocommerce-cost-of-goods-plugin-3-2-8-sql-injection-vulnerability?_s_id=cve– https://www.cve.org/CVERecord?id=CVE-2024-53783

Published : 2024-12-06 Title: WordPress WordPress Auction Plugin plugin <= 3.7 – SQL Injection vulnerability Description Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Owen Cutajar & Hyder Jaffari WordPress Auction Plugin allows SQL Injection.This issue affects WordPress Auction Plugin: from n/a through 3.7. CWE CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CVSS Score Severity Version Vector String 9.3 CRITICAL 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L Vendor : n/a Product: WordPress Auction Plugin Vulnerable Versions: n/a through 3.7 Proof of Concept: Vulnerability found by: DFEND Security Researcher References: – https://patchstack.com/database/wordpress/plugin/wp-auctions/vulnerability/wordpress-wordpress-auction-plugin-plugin-3-7-sql-injection-vulnerability?_s_id=cve– https://www.cve.org/CVERecord?id=CVE-2024-51615

Published : 2025-01-07 Title: WordPress WordPress Auction Plugin plugin <= 3.7 – SQL Injection vulnerability Description Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Owen Cutajar & Hyder Jaffari WordPress Auction Plugin allows SQL Injection.This issue affects WordPress Auction Plugin: from n/a through 3.7. CWE CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CVSS Score Severity Version Vector String 7.6 HIGH 3.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L Vendor : n/a Product: WordPress Auction Plugin Vulnerable Versions: n/a through 3.7 Proof of Concept: Vulnerability found by: DFEND Security Researcher References: – https://patchstack.com/database/wordpress/plugin/wp-auctions/vulnerability/wordpress-wordpress-auction-plugin-plugin-3-7-sql-injection-vulnerability-2?_s_id=cve– https://www.cve.org/CVERecord?id=CVE-2025-22349

Published : 2024-12-06 Title: WordPress WordPress Auction Plugin plugin <= 3.7 – Cross Site Scripting (XSS) vulnerability Description Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Owen Cutajar & Hyder Jaffari WordPress Auction Plugin allows Stored XSS.This issue affects WordPress Auction Plugin: from n/a through 3.7. CWE CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CVSS Score Severity Version Vector String 5.9 MEDIUM 3.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L Vendor : n/a Product: WordPress Auction Plugin Vulnerable Versions: n/a through 3.7 Proof of Concept: Vulnerability found by: DFEND Security Researcher References: – https://patchstack.com/database/wordpress/plugin/wp-auctions/vulnerability/wordpress-wordpress-auction-plugin-plugin-3-7-cross-site-scripting-xss-vulnerability?_s_id=cve– https://www.cve.org/CVERecord?id=CVE-2024-54207

Published : 2024-12-06 Title: WordPress s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin <= 241114 – Remote Code Execution (RCE) vulnerability Description Improper Control of Generation of Code (‘Code Injection’) vulnerability in WP Sharks s2Member Pro allows Code Injection.This issue affects s2Member Pro: from n/a through 241114. CWE CWE-94 Improper Control of Generation of Code (‘Code Injection’) CVSS Score Severity Version Vector String 9 CRITICAL 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Vendor : n/a Product: s2Member Pro Vulnerable Versions: n/a through 241114 Proof of Concept: Vulnerability found by: DFEND Security Researcher References: – https://patchstack.com/database/wordpress/plugin/s2member/vulnerability/wordpress-s2member-excellent-for-all-kinds-of-memberships-content-restriction-paywalls-member-access-subscriptions-plugin-241114-remote-code-execution-rce-vulnerability?_s_id=cve– https://www.cve.org/CVERecord?id=CVE-2024-51815

Published : 2025-03-03 Title: WordPress SMS Alert Order Notifications – WooCommerce plugin <= 3.7.8 – SQL Injection vulnerability Description Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Cozy Vision SMS Alert Order Notifications – WooCommerce allows SQL Injection. This issue affects SMS Alert Order Notifications – WooCommerce: from n/a through 3.7.8. CWE CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CVSS Score Severity Version Vector String 9.3 CRITICAL 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L Vendor : n/a Product: SMS Alert Order Notifications – WooCommerce Vulnerable Versions: n/a through 3.7.8 Proof of Concept: Vulnerability found by: DFEND Security Researcher References: – https://patchstack.com/database/wordpress/plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-woocommerce-plugin-3-7-8-sql-injection-vulnerability?_s_id=cve– https://www.cve.org/CVERecord?id=CVE-2025-26988

Published : 2025-03-03 Title: WordPress SMS Alert Order Notifications – WooCommerce plugin <= 3.7.8 – Reflected Cross Site Scripting (XSS) vulnerability Description Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Cozy Vision SMS Alert Order Notifications – WooCommerce allows Reflected XSS. This issue affects SMS Alert Order Notifications – WooCommerce: from n/a through 3.7.8. CWE CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CVSS Score Severity Version Vector String 7.1 HIGH 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L Vendor : n/a Product: SMS Alert Order Notifications – WooCommerce Vulnerable Versions: n/a through 3.7.8 Proof of Concept: Vulnerability found by: DFEND Security Researcher References: – https://patchstack.com/database/wordpress/plugin/sms-alert/vulnerability/wordpress-sms-alert-order-notifications-woocommerce-plugin-3-7-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve– https://www.cve.org/CVERecord?id=CVE-2025-26984

Published : 2025-03-27 Title: WordPress RapidLoad plugin <= 2.4.4 – Broken Access Control vulnerability Description Missing Authorization vulnerability in Shakeeb Sadikeen RapidLoad allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RapidLoad: from n/a through 2.4.4. CWE CWE-862 Missing Authorization CVSS Score Severity Version Vector String 4.3 MEDIUM 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Vendor : n/a Product: RapidLoad Vulnerable Versions: n/a through 2.4.4 Proof of Concept: Vulnerability found by: DFEND Security Researcher References: – https://patchstack.com/database/wordpress/plugin/unusedcss/vulnerability/wordpress-rapidload-plugin-2-4-4-broken-access-control-vulnerability?_s_id=cve– https://www.cve.org/CVERecord?id=CVE-2025-22665

Published : 2024-10-29 Title: WordPress Namaste! LMS plugin <= 2.6.2 – Cross Site Scripting (XSS) vulnerability Description Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Kiboko Labs Namaste! LMS allows Reflected XSS.This issue affects Namaste! LMS: from n/a through 2.6.2. CWE CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) CVSS Score Severity Version Vector String 7.1 HIGH 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L Vendor : n/a Product: Namaste! LMS Vulnerable Versions: n/a through 2.6.2 Proof of Concept: Vulnerability found by: DFEND Security Researcher References: – https://patchstack.com/database/vulnerability/namaste-lms/wordpress-namaste-lms-plugin-2-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve– https://www.cve.org/CVERecord?id=CVE-2024-50407