Vulnerabilities and security researches forwp-plugin-info-card wp-plugin-info-card

Jun 07, 2024

CVE, Research URL: 2aa7d35570fa53a8decaa549b9680523a7a9316c
Home page URL: Security reports for WP Plugin Info Card
Application: WP Plugin Info Card
Date: Mar 04, 2015
Research Description: WP Plugin Info Card [wp-plugin-info-card] < 2.3.7 WP Plugin Info Card < 2.3.7 - Cross-Site Scripting The WP Plugin Info Card plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘slug’ parameter in versions up to, and including, 2.3.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 2.3.7.
Status: vulnerable

Apr 03, 2025

CVE, Research URL: CVE-2025-31835
Home page URL: Security reports for WP Plugin Info Card
Application: WP Plugin Info Card
Date: Apr 01, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brice Capobianco WP Plugin Info Card allows DOM-Based XSS. This issue affects WP Plugin Info Card: from n/a through 5.2.5.
Affected versions: max 5.2.5.
Status: vulnerable

Jun 15, 2025

CVE, Research URL: CVE-2025-5116
Home page URL: Security reports for WP Plugin Info Card
Application: WP Plugin Info Card
Date: Jun 03, 2025
Research Description: The WP Plugin Info Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘containerid’ parameter in all versions up to, and including, 5.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This issue is due to an incomplete patch for CVE-2025-31835.
Affected versions: max 5.4.0.
Status: vulnerable

Apr 16, 2026

CVE, Research URL: CVE-2026-2023
Home page URL: Security reports for WP Plugin Info Card
Application: WP Plugin Info Card
Date: Feb 18, 2026
Research Description: The WP Plugin Info Card plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0. This is due to missing nonce validation in the ajax_save_custom_plugin() function, which is disabled by prefixing the check with 'false &&'. This makes it possible for unauthenticated attackers to create or modify custom plugin entries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 6.3.0.
Status: vulnerable