4.8
CVE-2023-5529 - Advanced Page Visit Counter <= 8.0.6 - Admin+ Stored XSS
The Advanced Page Visit Counter WordPress plugin before 8.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setuโฆ
5.4
CVE-2023-2334 - Easy Digital Downloads Google Sheet Connector < 1.6.6 - Access Code Update via CSRF
The edd-google-sheet-connector-pro WordPress plugin before 1.4, Easy Digital Downloads Google Sheet Connector WordPress plugin before 1.6.6 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSโฆ
5.4
CVE-2025-2248 - WP-PManager <= 1.2 - Admin+ SQL Injection
The WP-PManager WordPress plugin through 1.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
5.4
CVE-2025-2247 - WP-PManager <= 1.2 - Category Deletion via CSRF
The WP-PManager WordPress plugin through 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
6.1
CVE-2025-2203 - WooCommerce Checkout & Funnel Builder by FunnelKit < 3.10.2 - Admin+ SQL Injection
The FunnelKit WordPress plugin before 3.10.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
5.4
CVE-2025-1454 - Ninja Pages <= 1.4.2 - Admin+ Stored XSS
The Ninja Pages WordPress plugin through 1.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
6.1
CVE-2025-1303 - Plugin Oficial โ Getnet para WooCommerce <= 1.7.3 - Unauthenticated Reflected XSS
The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
4.8
CVE-2025-1289 - Plugin Oficial โ Getnet para WooCommerce <= 1.7.3 - Admin+ Stored XSS
The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
6.1
CVE-2025-1288 - wooexim <= 5.0.0 - CSRF to Reflected XSS
The WOOEXIM WordPress plugin through 5.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make an unauthenticated user vulnerable to reflected XSS via a CSRF attack.
6.1
CVE-2025-1286 - Download HTML TinyMCE Button <= 1.2 - Reflected XSS
The Download HTML TinyMCE Button WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.