WordPress Plugin Vulnerabilities Summary: SSRF/XSS/RCE/SSTI

Vulnerability Key Information Summary 1. Vulnerability Overview and Scope This page displays multiple security vulnerabilities in WordPress plugins and software within the Patchstack vulnerability database, primarily containing the following key information: Webmention (<= 6.6.2): Unauthenticated Blind Server-Side Request Forgery (Blind SSRF) vulnerability. Export All URLs (<= 5.1): Unauthenticated Sensitive Data Exposure vulnerability. Query Monitor (<= 3.20.3): Cross-Site Scripting (XSS) vulnerability via Request URI reflection. Ultimate Addons for WPBakery Page Builder (< 3.21.4): Cross-Site Scripting (XSS) vulnerability. King Addons for Elementor (<= 51.153): Authenticated (Contributor+) DOM-Based Stored XSS vulnerability. Contact Form Entries (<= 14.9): Missing authorization for authenticated users (Contributor+), leading to sensitive information leakage. Shortcodes Ultimate (<= 74.10): Vulnerability related to the WordPress Shortcodes plugin. Amelia (<= 2.1.2): Authenticated (Manager+) SQL Injection vulnerability via the 'sort' parameter. Performance Monitor (<= 10.6): Unauthenticated Blind SSRF vulnerability. Minify HTML (<= 2.112): Cross-Site Request Forgery (CSRF) leading to plugin settings updates. Profile Builder (<= 3.15.5): Vulnerability related to the WordPress User Profile Builder plugin. Auto Post Scheduler (<= 1.9.4): Cross-Site Request Forgery (CSRF) to Stored XSS via API parameters. WooCommerce Payments (<= 10.5.1): Missing authorization for unauthenticated users to update plugin settings. Kubio AI Page Builder (<= 2.7.0): Cross-Site Scripting (XSS) vulnerability. Loco Translate (<= 2.8.2): Reflected Cross-Site Scripting (XSS) vulnerability via the 'update_href' parameter. Oxygen (<= 6.0.8): Unauthenticated Server-Side Request Forgery (SSRF) vulnerability via route_path. Gravity SMTP (<= 2.1.4): Unauthenticated sensitive information leakage via REST API. Everest Forms Pro (<= 19.12): Unauthenticated Remote Code Execution (RCE) vulnerability via calculated fields. Contact Form by Supsystic (<= 1.7.36): Unauthenticated Server-Side Template Injection (SSTI) vulnerability via the Prefill field. Iltana (<= 12.5.7): Vulnerability related to the WordPress website builder plugin (description truncated). 2. Remediation Measures Version Upgrade: For the vulnerabilities listed above, the official recommendation is to upgrade the affected plugins or software to a secure version (i.e., a version number greater than the upper limit specified in the vulnerability description). Mitigation Measures: Some entries in the page (such as Webmention, Ultimate Addons, King Addons, Performance Monitor, Loco Translate, Gravity SMTP, Everest Forms Pro, and Contact Form by Supsystic) are marked with "Mitigation available" (mitigation measures are available), indicating that specific configurations or patches may exist to reduce risks if an immediate upgrade is not possible. 3. POC/Exploit Code The screenshot does not contain specific POC code or exploit code; it only provides the vulnerability names, descriptions, and affected versions.

Goal Reached Thanks to every supporter — we hit 100%!

WordPress Plugin Vulnerabilities Summary: SSRF/XSS/RCE/SSTI