WordPress

CVE-2025-13329 File Uploader for WooCommerce <= 1.0.3 - Unauthenticated Arbitrary File Upload via add-image-data File Uploader for WooCommerce Plugin Overview Published: 2025-12-20 CVE-ID: CVE-2025-13329 Affected Plugin: File Uploader for WooCommerce Affected Versions: <= 1.0.3 Vulnerability Type: Unauthenticated Arbitrary File Upload via add-image-data CWE-434: CWE-434 Unrestricted Upload of File with Dangerous Type Description The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the ‘add-image-data’ REST API endpoint in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them on the affected site’s server which may make remote code execution possible. ...

CVE-2025-68519 WordPress Brands for WooCommerce Plugin <= 3.8.6.3 is vulnerable to SQL Injection WordPress Brands for WooCommerce Plugin Overview Published: 2025-12-24 CVE ID: CVE-2025-68519 Affected Plugin: WordPress Brands for WooCommerce Affected Versions: <= 3.8.6.3 Vulnerability Type: SQL Injection vulnerability Description Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in BeRocket Brands for WooCommerce brands-for-woocommerce allows Blind SQL Injection.This issue affects Brands for WooCommerce: from n/a through <= 3.8.6.3. ...

WordPress Shipping Rate By Cities Plugin Overview CVE ID: CVE-2025-14770 Affected Plugin: Shipping Rate By Cities Affected Versions: ≤ 2.0.0 Vulnerability Type: Unauthenticated SQL Injection Attack Vector: Network Authentication Required: No Description The Shipping Rate By Cities WordPress plugin contains an unauthenticated SQL Injection vulnerability in versions up to 2.0.0. The issue originates from unsafe handling of the city parameter, which is concatenated directly into an SQL query without proper preparation. ...

Critical SQL Injection (CVE-2026-3359) in WordPress Form Maker by 10Web Overview Published: 2026-05-05 CVE-ID: CVE-2026-3359 CVSS: 9.8 Critical Affected Plugin: Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Affected Versions: <= 1.15.42 Patched Version: 1.15.43 CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) Description The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the ‘inputs’ parameter. In versions up to and including 1.15.42, the plugin fails to sufficiently sanitize user-supplied data before incorporating it into SQL queries. This allows unauthenticated attackers to append malicious SQL commands to existing queries, potentially leading to the extraction of sensitive database information. ...