Unauthenticated Cross Site Request Forgery (CSRF) in FunnelKit Payment Gateway for Stripe WooCommerce <= 1.14.0.3 versions.
Contributor Insecure Direct Object References (IDOR) in PPWP <= 1.9.19 versions.
Unauthenticated Sensitive Data Exposure in WCBoost – Products Compare <= 1.1.0 versions.
Subscriber Broken Access Control in Email Marketing for WooCommerce by Omnisend <= 1.19.0 versions.
Administrator SQL Injection in Popup box <= 6.0.1 versions.
Unauthenticated Insecure Direct Object References (IDOR) in Blocksy Companion Pro <= 2.1.46 versions.
Contributor Cross Site Scripting (XSS) in StatCounter <= 2.1.1 versions.
Administrator SQL Injection in WP All Import <= 4.0.1 versions.
Subscriber Server Side Request Forgery (SSRF) in Kirki <= 6.0.11 versions.
Subscriber Broken Access Control in WPCafe <= 3.0.14 versions.
Contributor Cross Site Scripting (XSS) in Neve PRO <= 3.1.2 versions.
Contributor Cross Site Scripting (XSS) in SeedProd Pro < 6.19.5 versions.
Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter....
Author Cross Site Scripting (XSS) in Featured Image <= 2.1 versions.
Contributor Broken Access Control in SEOPress PRO <= 9.1.1 versions.
Unauthenticated Cross Site Scripting (XSS) in NanoMag <= 1.8 versions.
Unauthenticated Broken Access Control in GIFT4U <= 1.0.10 versions.
Unauthenticated Broken Access Control in Flash & HTML5 Video <= 2.11.0 versions.
Unauthenticated Cross Site Scripting (XSS) in weMail <= 2.1.2 versions.
Contributor Arbitrary File Deletion in H5P <= 1.17.7 versions.