VYPR

Vendor CVEs

Wpexperts

All CVEs

51 total · sorted by risk
  • CVE-2023-6875CriJan 11, 2024
    risk 0.67cvss 9.8epss 0.90

    The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and…

  • CVE-2025-28898CriMar 26, 2025
    risk 0.60cvss 9.3epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPExperts.io WP Multistore Locator wp-multi-store-locator allows SQL Injection.This issue affects WP Multistore Locator: from n/a through <= 2.5.2.

  • CVE-2025-26974CriFeb 25, 2025
    risk 0.60cvss 9.3epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPExperts.io WP Multistore Locator wp-multi-store-locator allows Blind SQL Injection.This issue affects WP Multistore Locator: from n/a through <= 2.5.1.

  • CVE-2025-24000HigAug 7, 2025
    risk 0.57cvss 8.8epss 0.01

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Saad Iqbal Post SMTP post-smtp allows Authentication Bypass.This issue affects Post SMTP: from n/a through <= 3.2.0.

  • CVE-2019-25150HigJun 7, 2023
    risk 0.57cvss 8.8epss 0.01

    The Email Templates plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.3. This makes it possible for attackers to present phishing forms or conduct cross-site request forgery attacks against site administrators.

  • CVE-2025-69063HigFeb 20, 2026
    risk 0.56cvss 8.6epss 0.00

    Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/a through <= 3.2.0.

  • CVE-2024-47338HigOct 6, 2024
    risk 0.55cvss 8.5epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal WPExperts Square For GiveWP wpexperts-square-for-give allows SQL Injection.This issue affects WPExperts Square For GiveWP: from n/a through <= 1.3.

  • CVE-2024-52436HigNov 18, 2024
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal Post SMTP post-smtp allows Blind SQL Injection.This issue affects Post SMTP: from n/a through <= 2.9.9.

  • CVE-2024-31297HigApr 10, 2024
    risk 0.49cvss 7.5epss 0.00

    Missing Authorization vulnerability in WPExperts Wholesale For WooCommerce.This issue affects Wholesale For WooCommerce: from n/a through 2.3.0.

  • CVE-2023-48742HigNov 30, 2023
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LicenseManager License Manager for WooCommerce license-manager-for-woocommerce allows SQL Injection.This issue affects License Manager for WooCommerce: from n/a through 2.2.10.

  • CVE-2025-63030HigDec 9, 2025
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal New User Approve new-user-approve allows Cross Site Request Forgery.This issue affects New User Approve: from n/a through <= 3.2.3.

  • CVE-2025-58268HigSep 22, 2025
    risk 0.46cvss 7.1epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in WPMK WPMK PDF Generator wpmk-pdf-generator allows Stored XSS.This issue affects WPMK PDF Generator: from n/a through <= 1.0.1.

  • CVE-2025-24680HigJan 27, 2025
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in WPExperts.io WP Multistore Locator wp-multi-store-locator allows Reflected XSS.This issue affects WP Multistore Locator: from n/a through <= 2.4.7.

  • CVE-2024-27959HigMar 17, 2024
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wpexpertsio WC Shop Sync – Integrate Square and WooCommerce for Seamless Shop Management allows Reflected XSS.This issue affects WC Shop Sync – Integrate Square and…

  • CVE-2026-27440MedFeb 19, 2026
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred mycred allows Stored XSS.This issue affects myCred: from n/a through <= 2.9.7.6.

  • CVE-2024-1639MedJun 21, 2024
    risk 0.42cvss 6.5epss 0.00

    The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in all versions up to, and including, 3.0.6. This makes it possible for…

  • CVE-2023-47853MedNov 30, 2023
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin allows Stored XSS.This issue affects myCred – Points, Rewards, Gamification, Ranks, Badges &…

  • CVE-2023-35096MedJul 17, 2023
    risk 0.42cvss 6.5epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in myCred plugin <= 2.5 versions.

  • CVE-2024-5207HigMay 30, 2024
    risk 0.40cvss 7.2epss 0.01

    The POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications plugin for WordPress is vulnerable to time-based SQL Injection via the selected parameter in all versions up to, and including, 2.9.3 due to insufficient escaping on the…

  • CVE-2023-7027HigJan 3, 2024
    risk 0.40cvss 7.2epss 0.01

    The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ header in all versions up to, and including, 2.8.7 due to insufficient input sanitization…

  • CVE-2023-3082HigJul 12, 2023
    risk 0.40cvss 7.2epss 0.00

    The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 2.5.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web…

  • CVE-2024-29128HigMar 19, 2024
    risk 0.39cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Post SMTP POST SMTP allows Reflected XSS.This issue affects POST SMTP: from n/a through 2.8.6.

  • CVE-2023-49842MedDec 14, 2023
    risk 0.38cvss 5.9epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpexpertsio Rocket Maintenance Mode & Coming Soon Page allows Stored XSS.This issue affects Rocket Maintenance Mode & Coming Soon Page: from n/a through 4.3.

  • CVE-2026-0550MedFeb 14, 2026
    risk 0.35cvss 6.4epss 0.00

    The myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mycred_load_coupon' shortcode in all versions up to, and including, 2.9.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it…

  • CVE-2024-54323MedDec 13, 2024
    risk 0.35cvss 5.4epss 0.00

    Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/a through <= 2.6.2.

  • CVE-2024-11201MedDec 6, 2024
    risk 0.35cvss 6.4epss 0.01

    The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mycred_send…

  • CVE-2025-67563MedDec 9, 2025
    risk 0.34cvss 5.3epss 0.00

    Missing Authorization vulnerability in Saad Iqbal Post SMTP post-smtp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post SMTP: from n/a through <= 3.6.1.

  • CVE-2025-49872MedJun 17, 2025
    risk 0.34cvss 5.3epss 0.00

    Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects myCred: from n/a through <= 2.9.4.2.

  • CVE-2022-47182MedDec 13, 2024
    risk 0.34cvss 5.3epss 0.00

    Missing Authorization vulnerability in Wpexpertsio APIExperts Square for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects APIExperts Square for WooCommerce: from n/a through 4.4.1.

  • CVE-2024-43214MedAug 26, 2024
    risk 0.34cvss 5.3epss 0.00

    Missing Authorization vulnerability in Saad Iqbal myCred mycred.This issue affects myCred: from n/a through <= 2.7.2.

  • CVE-2024-30469MedMar 29, 2024
    risk 0.34cvss 5.3epss 0.00

    Missing Authorization vulnerability in WPExperts Wholesale For WooCommerce.This issue affects Wholesale For WooCommerce: from n/a through 2.3.0.

  • CVE-2023-6629MedJan 3, 2024
    risk 0.33cvss 6.1epss 0.00

    The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in all versions up to, and including, 2.8.6 due to insufficient input sanitization…

  • CVE-2024-0656MedFeb 29, 2024
    risk 0.29cvss 4.4epss 0.00

    The Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Google Captcha Site Key in all versions up to, and including, 2.6.6 due to insufficient input sanitization…

  • CVE-2026-24951MedFeb 3, 2026
    risk 0.28cvss 4.3epss 0.00

    Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 2.9.7.3.

  • CVE-2025-31888MedApr 1, 2025
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in WPExperts.io WP Multistore Locator wp-multi-store-locator allows Cross Site Request Forgery.This issue affects WP Multistore Locator: from n/a through <= 2.5.2.

  • CVE-2023-50902MedDec 29, 2023
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in WPExpertsio New User Approve.This issue affects New User Approve: from n/a through 2.5.1.

  • CVE-2022-47181MedNov 7, 2023
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in wpexpertsio Email Templates Customizer and Designer for WordPress and WooCommerce email-templates allows Cross Site Request Forgery.This issue affects Email Templates Customizer and Designer for WordPress and WooCommerce: from…

  • CVE-2021-4422MedJul 12, 2023
    risk 0.28cvss 4.3epss 0.01

    The POST SMTP Mailer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.20. This is due to missing or incorrect nonce validation on the handleCsvExport() function. This makes it possible for unauthenticated attackers to trigger…

  • CVE-2025-12770MedNov 19, 2025
    risk 0.27cvss 5.3epss 0.00

    The New User Approve plugin for WordPress is vulnerable to unauthorized data disclosure in all versions up to, and including, 3.0.9 due to insufficient API key validation using loose equality comparison. This makes it possible for unauthenticated attackers to retrieve personally…

  • CVE-2025-9219MedSep 3, 2025
    risk 0.21cvss 4.3epss 0.00

    The Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the…

  • CVE-2025-22800MedJan 13, 2025
    risk 0.21cvss 4.3epss 0.00

    Missing Authorization vulnerability in Saad Iqbal Post SMTP post-smtp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post SMTP: from n/a through <= 2.9.11.

  • CVE-2022-4363May 16, 2025
    risk 0.00cvss epss 0.00

    The Wholesale Market WordPress plugin before 2.2.2, Wholesale Market for WooCommerce WordPress plugin before 2.0.1 have a flawed CSRF check when updating their settings, which could allow attackers to make a logged in admin update them via a CSRF attack

  • CVE-2024-13844Mar 8, 2025
    risk 0.00cvss epss 0.00

    The Post SMTP plugin for WordPress is vulnerable to generic SQL Injection via the ‘columns’ parameter in all versions up to, and including, 3.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This…

  • CVE-2024-13713Feb 21, 2025
    risk 0.00cvss epss 0.00

    The WPExperts Square For GiveWP plugin for WordPress is vulnerable to SQL Injection via the 'post' parameter in all versions up to, and including, 1.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. …

  • CVE-2024-10187Nov 8, 2024
    risk 0.00cvss epss 0.00

    The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mycred_link…

  • CVE-2023-35038Jul 17, 2023
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in wpexperts.Io WP PDF Generator plugin <= 1.2.2 versions.

  • CVE-2023-32580Jun 23, 2023
    risk 0.00cvss epss 0.00

    Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPExperts Password Protected plugin <= 2.6.2 versions.

  • CVE-2022-4109Jan 2, 2023
    risk 0.00cvss epss 0.01

    The Wholesale Market for WooCommerce WordPress plugin before 2.0.0 does not validate user input against path traversal attacks, allowing high privilege users such as admin to download arbitrary logs from the server even when they should not be able to (for example in multisite)

  • CVE-2022-4106Dec 19, 2022
    risk 0.00cvss epss 0.01

    The Wholesale Market for WooCommerce WordPress plugin before 1.0.7 does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server.

  • CVE-2022-2352Sep 26, 2022
    risk 0.00cvss epss 0.01

    The Post SMTP Mailer/Email Log WordPress plugin before 2.1.7 does not have proper authorisation in some AJAX actions, which could allow high privilege users such as admin to perform blind SSRF on multisite installations for example.

Page 1 of 2