123 CVEs tracked today. 0 Critical, 24 High, 94 Medium, 5 Low.
-
CVE-2026-32064
HIGH
CVSS 7.7
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, allowing any attacker with access to the host's loopback interface to view or interact with sandboxed browser sessions without credentials. All OpenClaw versions prior to 2026.2.21 are affected. This vulnerability has been publicly disclosed with patches available from the vendor, though no EPSS score, KEV status, or public POC references were provided in the intelligence data.
Authentication Bypass
-
CVE-2026-32056
HIGH
CVSS 7.5
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run function that allows attackers to bypass command allowlist protections. Authenticated remote attackers with low privileges can inject malicious shell startup files (.bash_profile, .zshenv) via unsanitized HOME and ZDOTDIR variables to achieve arbitrary code execution before allowlisted commands execute. A patch is available from the vendor via GitHub commit c2c7114ed39a547ab6276e1e933029b9530ee906.
RCE
Command Injection
-
CVE-2026-32055
HIGH
CVSS 7.6
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace directory by exploiting improper symlink resolution in path validation checks. An attacker with workspace access can leverage in-workspace symlinks pointing to external targets to bypass boundary restrictions on the first write operation. Public exploit code exists for this vulnerability, and a patch is available.
Path Traversal
-
CVE-2026-32051
HIGH
CVSS 8.8
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.write scope to escalate privileges and execute owner-only administrative functions including gateway and cron management through agent runs in scoped-token deployments. This is a privilege escalation issue affecting deployments using scoped authentication tokens, where write-level access can be exploited to perform control-plane operations reserved for owners. With a CVSS score of 8.8 and network-accessible attack vector, this represents a significant authorization bypass, though no KEV listing or public exploitation indicators are currently available.
Authentication Bypass
-
CVE-2026-32049
HIGH
CVSS 7.5
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consistently enforce configured inbound media byte limits across multiple channel ingestion paths. Remote unauthenticated attackers can exploit this by sending oversized media payloads to cause elevated memory consumption and process instability, leading to denial of service. The vulnerability has a CVSS score of 7.5 (High severity) with network-based attack vector and low complexity, though no active exploitation (KEV) or public proof-of-concept has been reported at this time.
Denial Of Service
-
CVE-2026-32048
HIGH
CVSS 7.5
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low privileges to bypass runtime confinement restrictions. Attackers can exploit a flaw in cross-agent sessions_spawn operations to create child processes under unsandboxed agents, effectively disabling sandbox protections by setting sandbox.mode to off. While the CVSS score is 7.5 (High), there is no evidence of active exploitation (not in CISA KEV), though the vulnerability has been publicly disclosed through GitHub Security Advisories and VulnCheck, increasing the likelihood of proof-of-concept development.
Authentication Bypass
-
CVE-2026-32042
HIGH
CVSS 8.8
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated attackers to bypass device pairing requirements and self-assign elevated operator.admin scopes. Attackers with valid shared gateway authentication credentials can present self-signed unpaired device identities to obtain administrator privileges before pairing approval is granted. This is a high-severity vulnerability (CVSS 8.8) with a patch available from the vendor.
Privilege Escalation
Authentication Bypass
-
CVE-2026-4529
HIGH
CVSS 8.8
Stack-based buffer overflow in the SOAP Handler of unsupported D-Link DHP-1320 1.00WWB04 devices allows authenticated remote attackers to achieve complete system compromise through the redirect_count_down_page function. Public exploit code exists for this vulnerability, which carries a high risk given the affected devices are no longer maintained. Successful exploitation enables arbitrary code execution with full confidentiality, integrity, and availability impact.
Stack Overflow
D-Link
Buffer Overflow
-
CVE-2026-4528
HIGH
CVSS 7.3
A Server-Side Request Forgery (SSRF) vulnerability exists in the validateUrlSecurity function within trueleaf ApiFlow version 0.9.7's URL validation handler. This flaw allows unauthenticated remote attackers to manipulate server-side requests to access internal resources or perform actions on behalf of the server. A public proof-of-concept exploit has been disclosed and is available, significantly lowering the barrier to exploitation.
SSRF
-
CVE-2026-4373
HIGH
CVSS 7.5
The JetFormBuilder plugin for WordPress contains a critical path traversal vulnerability allowing unauthenticated attackers to read arbitrary files from the server. All versions up to and including 3.5.6.2 are affected. Attackers can exploit this to exfiltrate sensitive local files as email attachments by submitting crafted form requests with malicious Media Field payloads, with a CVSS score of 7.5 indicating high confidentiality impact.
WordPress
Path Traversal
-
CVE-2026-4302
HIGH
CVSS 7.2
The WowOptin: Next-Gen Popup Maker plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability affecting all versions up to and including 1.4.29. An unauthenticated attacker can exploit a publicly accessible REST API endpoint (optn/v1/integration-action) that passes user-supplied URLs directly to wp_remote_get() and wp_remote_post() without validation, allowing arbitrary web requests from the server. This enables querying and modifying information from internal services with a CVSS score of 7.2 (High), though no active exploitation (KEV) or public POC has been documented at this time.
WordPress
SSRF
-
CVE-2026-4261
HIGH
CVSS 8.8
The Expire Users plugin for WordPress versions up to and including 1.2.2 contains a privilege escalation vulnerability that allows authenticated users with Subscriber-level access or higher to elevate their privileges to administrator level. This occurs because the plugin improperly allows users to update the 'on_expire_default_to_role' meta field through the 'save_extra_user_profile_fields' function without proper authorization checks. With a CVSS score of 8.8 (High severity), this represents a critical security issue for affected WordPress installations, though no active exploitation (KEV) or EPSS data has been reported at this time.
Authentication Bypass
WordPress
Privilege Escalation
-
CVE-2026-3629
HIGH
CVSS 8.1
The Import and export users and customers plugin for WordPress contains a privilege escalation vulnerability that allows unauthenticated attackers to gain Administrator privileges. All versions up to and including 1.29.7 are affected. The vulnerability can only be exploited when specific configuration conditions are met (the 'Show fields in profile' setting is enabled and a CSV with wp_capabilities column has been previously imported), which increases attack complexity but does not eliminate the critical risk.
WordPress
Privilege Escalation
-
CVE-2026-3478
HIGH
CVSS 7.2
The Content Syndication Toolkit plugin for WordPress contains an unauthenticated Server-Side Request Forgery vulnerability that allows attackers to make arbitrary HTTP requests from the WordPress server. All versions up to and including 1.3 are affected through a bundled ReduxFramework library that exposes an unprotected AJAX proxy endpoint. Attackers can exploit this to query internal services, scan internal network ports, access cloud metadata endpoints, or interact with internal APIs without any authentication, representing a significant risk for reconnaissance and lateral movement in internal networks.
WordPress
SSRF
-
CVE-2026-3334
HIGH
CVSS 8.8
The CMS Commander plugin for WordPress contains an SQL Injection vulnerability in all versions up to and including 2.288. Authenticated attackers with API key access can exploit the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in the restore workflow to append malicious SQL queries and extract sensitive database information. With a CVSS score of 8.8, this represents a high-severity vulnerability requiring low attack complexity and low privileges, though no active exploitation (KEV) or public POC has been reported at this time.
WordPress
SQLi
-
CVE-2026-3003
HIGH
CVSS 7.2
The Vagaro Booking Widget plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'vagaro_code' parameter affecting all versions up to and including 0.3. Unauthenticated attackers can inject malicious JavaScript that executes whenever any user visits the compromised page, potentially leading to session hijacking, credential theft, or further site compromise. The CVSS score of 7.2 reflects network-based exploitation with no authentication required and changed scope, indicating the attack can affect resources beyond the vulnerable component.
WordPress
XSS
-
CVE-2026-2941
HIGH
CVSS 8.8
The Linksy Search and Replace plugin for WordPress versions up to 1.0.4 contains a missing capability check vulnerability that allows authenticated attackers with subscriber-level access or higher to modify arbitrary database tables. Attackers can exploit this to elevate their privileges to administrator by modifying the wp_capabilities field, achieving complete site takeover. With a CVSS score of 8.8 (High), this represents a critical privilege escalation vulnerability affecting authenticated users with minimal access.
Authentication Bypass
WordPress
Privilege Escalation
-
CVE-2026-2468
HIGH
CVSS 7.5
The Quentn WP plugin for WordPress contains an SQL Injection vulnerability that allows unauthenticated attackers to extract sensitive database information through a malicious 'qntn_wp_access' cookie value. All versions up to and including 1.2.12 are affected. With a CVSS score of 7.5 and requiring no authentication or user interaction, this represents a significant risk for WordPress sites using this plugin, though no active exploitation (KEV) or public proof-of-concept has been documented at this time.
WordPress
SQLi
-
CVE-2026-2440
HIGH
CVSS 7.2
The SurveyJS WordPress plugin contains a stored cross-site scripting (XSS) vulnerability affecting all versions up to and including 2.5.3. Unauthenticated attackers can submit malicious HTML-encoded payloads through public survey forms that execute when administrators view survey results in the WordPress admin dashboard. With a CVSS score of 7.2 and no authentication required, this represents a significant risk to WordPress sites using this plugin.
WordPress
XSS
-
CVE-2026-2279
HIGH
CVSS 7.2
The myLinksDump plugin for WordPress contains a SQL injection vulnerability in the 'sort_by' and 'sort_order' parameters affecting all versions up to and including 1.6. Authenticated attackers with administrator-level access can exploit insufficient input escaping and inadequate SQL query preparation to append malicious SQL queries and extract sensitive database information. While requiring high privileges (PR:H), the vulnerability has a CVSS score of 7.2 with high impact to confidentiality, integrity, and availability.
WordPress
SQLi
-
CVE-2026-1800
HIGH
CVSS 7.5
The Fonts Manager | Custom Fonts plugin for WordPress contains a time-based SQL injection vulnerability in versions up to and including 1.2. Unauthenticated attackers can exploit the vulnerable 'fmcfIdSelectedFnt' parameter to extract sensitive database information without requiring any privileges or user interaction. The vulnerability has a CVSS score of 7.5, indicating high confidentiality impact, though no KEV listing or EPSS score is provided in the available data.
WordPress
SQLi
-
CVE-2026-1648
HIGH
CVSS 7.2
The Performance Monitor plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability in its REST API endpoint that allows unauthenticated attackers to make arbitrary web requests to internal services using dangerous protocols including Gopher. Versions up to and including 1.0.6 are affected. This vulnerability can be chained with services like Redis to achieve Remote Code Execution, making it a critical security concern despite the 7.2 CVSS score.
Redis
WordPress
SSRF
RCE
-
CVE-2026-1313
HIGH
CVSS 8.3
The MimeTypes Link Icons plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability affecting all versions up to and including 3.2.20. Authenticated attackers with Contributor-level access or higher can exploit this flaw when the 'Show file size' option is enabled by embedding crafted links in post content, allowing them to make arbitrary HTTP requests from the server to internal or external resources. This enables querying and potentially modifying information from internal services that should not be accessible from the public internet.
WordPress
SSRF
-
CVE-2025-14037
HIGH
CVSS 8.1
The Invelity Product Feeds plugin for WordPress contains an arbitrary file deletion vulnerability through path traversal in versions up to and including 1.2.6. Authenticated administrators can be socially engineered into clicking malicious links that delete arbitrary server files due to missing validation in the createManageFeedPage function. No evidence of active exploitation (not in KEV) exists, though the vulnerability is publicly documented with technical details available via WordPress plugin repository references.
CSRF
WordPress
Path Traversal
PHP
-
CVE-2026-32899
MEDIUM
CVSS 4.3
OpenClaw fails to consistently apply sender-policy checks to reaction and pin event handlers, allowing authenticated attackers to bypass configured direct message policies and channel user allowlists by injecting unauthorized events from restricted senders. The vulnerability affects OpenClaw versions prior to 2026.2.25, requires low privileges (authenticated user), and enables unauthorized event injection with moderate severity (CVSS 4.3). A patch is available from the vendor, and the vulnerability has been documented in the VulnCheck advisory and GitHub Security Advisory GHSA-rm2p-j3r7-4x4j.
Authentication Bypass
-
CVE-2026-32898
MEDIUM
CVSS 5.4
OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP (Approval Control Panel) client that automatically approves tool calls based on untrusted metadata and overly permissive heuristics. An authenticated attacker with PR (privileges required) can bypass interactive approval prompts for read-class operations by spoofing toolCall.kind metadata or using non-core read-like function names to reach auto-approve execution paths. This vulnerability enables unauthorized information disclosure and modification without user interaction, and while not currently listed as actively exploited in KEV, proof-of-concept demonstrations are available via vendor security advisories.
Authentication Bypass
-
CVE-2026-32896
MEDIUM
CVSS 4.8
OpenClaw versions prior to 2026.2.21 contain a passwordless fallback authentication bypass in the BlueBubbles webhook handler that allows attackers to send unauthenticated webhook events by exploiting loopback or reverse-proxy heuristics. The vulnerability affects the BlueBubbles plugin component and has a CVSS score of 4.8 (medium severity) with low attack complexity, enabling both confidentiality and integrity impact without requiring authentication or user interaction. A vendor patch is available, and the vulnerability is documented in public advisories from VulnCheck and GitHub Security.
Authentication Bypass
-
CVE-2026-32895
MEDIUM
CVSS 5.4
OpenClaw versions prior to 2026.2.26 contain an authentication bypass vulnerability in their Slack system event handlers that fails to properly enforce sender authorization checks. Attackers with low-privilege access (PR:L in CVSS vector) can craft and send unauthorized system events through message_changed, message_deleted, and thread_broadcast event types to bypass Slack DM allowlists and per-channel user allowlists. The vulnerability has a moderate CVSS score of 5.4 with low confidentiality and integrity impact; no KEV or active exploitation has been publicly disclosed, but a patch is available from the vendor.
Authentication Bypass
-
CVE-2026-32065
MEDIUM
CVSS 4.8
OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in the system.run function where the rendered command text displayed to approvers has whitespace trimmed from argv tokens, but the actual runtime execution uses the raw, untrimmed argv. An attacker with the ability to influence command arguments and reuse an approval context can craft a trailing-space executable token to execute a different binary than what was approved, resulting in arbitrary command execution under the OpenClaw runtime user. The CVSS score of 4.8 reflects the requirement for local privileges and user interaction, though the integrity impact is marked as high due to the ability to execute unauthorized commands.
Authentication Bypass
-
CVE-2026-32057
MEDIUM
CVSS 6.0
OpenClaw versions before 2026.2.25 allow authenticated attackers with node role permissions to bypass device pairing requirements in the Control UI by spoofing the control-ui client identifier, enabling unauthorized access to node event execution flows. Public exploit code exists for this authentication bypass vulnerability. The vulnerability requires prior authentication and has moderate integrity impact potential.
Authentication Bypass
-
CVE-2026-32054
MEDIUM
CVSS 6.5
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the browser trace and download output path handling that allows local attackers with limited privileges to escape the managed temporary root directory and overwrite arbitrary files on the system. An attacker can create symbolic links to redirect file writes outside the intended sandbox, resulting in information disclosure and potential system compromise through arbitrary file modification. A patch is available from the vendor, and this vulnerability requires local access with low privileges to exploit, making it a medium-severity concern for multi-user systems.
Information Disclosure
-
CVE-2026-32053
MEDIUM
CVSS 6.5
OpenClaw versions prior to 2026.2.23 contain a webhook event deduplication bypass vulnerability where normalized Twilio event IDs are randomized on each parse, allowing attackers to replay webhook events and circumvent the manager's deduplication checks. An unauthenticated remote attacker can exploit this over the network to trigger duplicate or stale call-state transitions, potentially causing incorrect call handling and state corruption. While no CVSS modifier for active exploitation or public POC is explicitly confirmed in the provided intelligence, the CVSS 6.5 score reflects moderate integrity and availability impact with low attack complexity.
Authentication Bypass
-
CVE-2026-32052
MEDIUM
CVSS 6.4
OpenClaw versions before 2026.2.24 allow authenticated attackers to execute arbitrary commands through command injection in the system.run shell-wrapper by injecting malicious arguments that bypass validation controls. Public exploit code exists for this vulnerability, enabling attackers to disguise malicious payloads while executing hidden commands with the privileges of the affected application.
Command Injection
-
CVE-2026-32046
MEDIUM
CVSS 5.3
OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability (CWE-1188) that allows local attackers with low privileges to execute arbitrary code on the host system by exploiting disabled OS-level sandbox protections in the Chromium browser container. The vulnerability does not require a sandbox escape, making exploitation straightforward for local users. A patch is available from the vendor, and the issue was reported by VulnCheck with references to GitHub security advisories and patch commits.
RCE
Google
Chrome
-
CVE-2026-32045
MEDIUM
CVSS 5.9
OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in HTTP gateway routes due to incorrect application of tokenless Tailscale header authentication. Attackers on trusted networks can access HTTP gateway routes without providing required token or password credentials, potentially exposing sensitive functionality. A patch is available from the vendor, and this vulnerability has been disclosed publicly via GitHub Security Advisory GHSA-hff7-ccv5-52f8.
Authentication Bypass
-
CVE-2026-32044
MEDIUM
CVSS 5.5
OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability that selectively bypasses safety checks for tar.bz2 skill archives while other formats enforce proper validation. An attacker can craft a malicious tar.bz2 skill archive that circumvents special-entry blocking and extracted-size guardrails, causing local denial of service during skill installation when a user interacts with the installer. This is a local, user-interaction-dependent vulnerability with no authentication required, rated CVSS 5.5 (medium severity) with denial of service impact.
Denial Of Service
-
CVE-2026-32043
MEDIUM
CVSS 6.5
OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use (TOCTOU) vulnerability in the approval-bound system.run execution function where the current working directory (cwd) parameter is validated at approval time but resolved at execution time, allowing attackers with local access and limited privileges to retarget symlinked directories between approval and execution to bypass command execution restrictions and execute arbitrary commands on node hosts. The vulnerability has a CVSS score of 6.5 with medium attack complexity but high integrity and availability impact, making it a notable local privilege escalation vector that requires user interaction in the approval workflow.
Authentication Bypass
-
CVE-2026-4530
MEDIUM
CVSS 5.3
SQL injection in apconw Aix-DB through the terminology_retriever.py module allows local attackers to manipulate the Description argument and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Affected versions include Aix-DB up to 1.2.3.
SQLi
-
CVE-2026-4516
MEDIUM
CVSS 6.3
A code injection vulnerability exists in Foundation Agents MetaGPT up to version 0.8.1, specifically in the DataInterpreter component's write_analysis_code.py file, allowing authenticated attackers to inject and execute arbitrary code remotely. The vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) with a CVSS score of 6.3 and requires low privileges and no user interaction. A public proof-of-concept exploit is available, indicating active research and potential real-world exploitation risk.
Code Injection
-
CVE-2026-4515
MEDIUM
CVSS 6.3
A code injection vulnerability exists in Foundation Agents MetaGPT versions up to 0.8.1 within the code_generate function of metagpt/ext/aflow/scripts/operator.py, allowing authenticated remote attackers to execute arbitrary code. The vulnerability is classified as CWE-94 (improper control of generation of code) and carries a CVSS score of 6.3 with network-based attack vector requiring low privileges. A public exploit has been disclosed on GitHub, and the vendor has not responded to early disclosure attempts, elevating the practical risk despite the moderate CVSS rating.
RCE
Code Injection
-
CVE-2026-4514
MEDIUM
CVSS 6.3
PbootCMS versions up to 3.2.12 contain an improper access control vulnerability in the Backend UserController component that allows authenticated attackers to manipulate the Field argument and bypass access restrictions. An attacker with login credentials can exploit this to gain unauthorized access to sensitive user data or system functions. A proof-of-concept exploit has been publicly disclosed on GitHub and the vulnerability carries a moderate CVSS score of 6.3 with documented exploitation capability.
PHP
Authentication Bypass
-
CVE-2026-4513
MEDIUM
CVSS 6.3
SQL injection in vanna-ai vanna versions up to 2.0.2 allows authenticated remote attackers to manipulate the ask function in vanna/legacy/base/base.py, potentially enabling data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
SQLi
-
CVE-2026-4511
MEDIUM
CVSS 6.3
A code injection vulnerability exists in vanna-ai vanna up to version 2.0.2, specifically in the exec function of the /src/vanna/legacy file. This authenticated remote code injection allows attackers with login credentials to execute arbitrary code with limited impact on confidentiality, integrity, and availability. A proof-of-concept exploit has been publicly disclosed on GitHub, and the vendor has not responded to early disclosure notifications, making this an active concern for deployed instances.
Information Disclosure
-
CVE-2026-4510
MEDIUM
CVSS 4.3
A reflected cross-site scripting (XSS) vulnerability exists in PbootCMS versions up to 3.2.12 in the alert_location function of the MemberController.php file, where the backurl parameter is not properly sanitized before output. An attacker can craft a malicious URL containing JavaScript code that will execute in a victim's browser when they click the link, potentially leading to session hijacking, credential theft, or malware distribution. A public proof-of-concept exploit is available on GitHub, increasing the risk of active exploitation.
PHP
XSS
-
CVE-2026-4509
MEDIUM
CVSS 6.3
PbootCMS versions up to 3.2.12 contain an incomplete blacklist bypass vulnerability in the file upload functionality (core/function/file.php) that allows authenticated attackers to upload dangerous files by manipulating the blacklist parameter. An attacker with login credentials can bypass file type restrictions to upload arbitrary files, potentially achieving remote code execution or other malicious outcomes. A public proof-of-concept exploit is available on GitHub, increasing the practical risk of exploitation.
PHP
File Upload
-
CVE-2026-4161
MEDIUM
CVSS 4.4
The Review Map by RevuKangaroo WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in its plugin settings that allows authenticated administrators to inject arbitrary JavaScript code through insufficient input sanitization and output escaping. This vulnerability affects all versions up to and including 1.7 and only manifests in WordPress multisite installations or single-site installations where the unfiltered_html capability has been disabled. Once injected, the malicious script executes whenever any user accesses the affected page, making this a persistent XSS attack vector that can compromise user sessions and sensitive data.
WordPress
XSS
-
CVE-2026-4143
MEDIUM
CVSS 4.3
The Neos Connector for Fakturama WordPress plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation in the ncff_add_plugin_page() function, allowing unauthenticated attackers to modify plugin settings. Affected versions include all releases up to and including 0.0.14. An attacker can exploit this by tricking a site administrator into clicking a malicious link or visiting a crafted webpage, resulting in unauthorized modification of plugin configuration without the administrator's knowledge or consent.
WordPress
CSRF
-
CVE-2026-4127
MEDIUM
CVSS 4.3
The Speedup Optimization plugin for WordPress contains a missing authorization vulnerability in the `speedup01_ajax_enabled()` AJAX handler that fails to verify user capabilities or nonce tokens, allowing authenticated attackers with Subscriber-level privileges to enable or disable the site's optimization module. Affected versions include all releases up to and including 1.5.9, as documented by Wordfence. While the CVSS score of 5.3 is moderate, the vulnerability represents a clear authorization bypass that could allow low-privileged attackers to degrade site performance or disable security-relevant optimization features.
Authentication Bypass
WordPress
-
CVE-2026-4087
MEDIUM
CVSS 6.5
SQL injection in the Pre* Party Resource Hints WordPress plugin up to version 1.8.20 allows authenticated users with Subscriber-level permissions or higher to execute arbitrary database queries through the unescaped 'hint_ids' parameter in the pprh_update_hints AJAX action. An attacker can exploit this to extract sensitive information from the WordPress database without user interaction. No patch is currently available for this vulnerability.
WordPress
SQLi
-
CVE-2026-4086
MEDIUM
CVSS 6.4
The WP Random Button WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.0 affecting all installations of this plugin. Authenticated attackers with Contributor-level or higher privileges can inject arbitrary JavaScript code through improperly sanitized shortcode attributes ('cat', 'nocat', and 'text'), which will execute in the browsers of any user viewing the affected pages. With a CVSS score of 6.4 and network-accessible attack vector requiring only low-privileged authenticated access, this vulnerability poses a moderate but realistic risk to WordPress sites using this plugin, particularly those with contributor-level user accounts or where user roles are not carefully managed.
WordPress
XSS
-
CVE-2026-4084
MEDIUM
CVSS 6.4
The fyyd podcast shortcodes plugin for WordPress contains a Stored Cross-Site Scripting vulnerability affecting all versions up to and including 0.3.1, where shortcode attributes (color, podcast_id, podcast_slug) are improperly concatenated into inline JavaScript without sanitization or escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes for all users viewing affected pages, allowing session hijacking, credential theft, or malware distribution. The CVSS 6.4 score reflects moderate risk with network-accessible attack vector and low complexity, though exploitation requires prior authentication.
WordPress
XSS
-
CVE-2026-4077
MEDIUM
CVSS 6.4
The Ecover Builder For Dummies WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'id' parameter of the 'ecover' shortcode due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that persists in page content and executes for all users viewing the affected page. With a CVSS score of 6.4 and confirmed by Wordfence, this vulnerability enables privilege escalation and defacement attacks within WordPress environments.
WordPress
XSS
-
CVE-2026-4072
MEDIUM
CVSS 6.4
A Stored Cross-Site Scripting (XSS) vulnerability exists in the WordPress PayPal Donation plugin (all versions up to and including 1.01) due to insufficient input sanitization and output escaping in shortcode attribute handling. Authenticated attackers with Contributor-level access or above can inject arbitrary JavaScript code through malicious shortcode attributes that will execute for all users viewing the affected pages. With a CVSS score of 6.4 and confirmed vulnerability details available through Wordfence and WordPress plugin repository source code analysis, this represents a moderate but practical risk to WordPress installations using this plugin.
WordPress
XSS
-
CVE-2026-4069
MEDIUM
CVSS 6.1
The Alfie - Feed Plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'naam' parameter of the alfie_option_page() function, affecting all versions up to and including 1.2.1. The vulnerability stems from missing nonce validation combined with insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject malicious scripts that persist in the plugin's database and execute when users view affected pages. An attacker must successfully social engineer a site administrator into clicking a malicious link, but once exploited, the payload executes with the privileges of any user accessing the compromised page, making this a moderate-risk vulnerability with a CVSS score of 6.1.
WordPress
XSS
-
CVE-2026-4067
MEDIUM
CVSS 6.4
The Ad Short WordPress plugin versions up to 2.0.1 contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'ad' shortcode's 'client' attribute that allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript code into pages. The vulnerability results from insufficient input sanitization and output escaping in the ad_func() shortcode handler, which directly concatenates user-supplied input into HTML attributes without applying proper escaping functions like esc_attr(). When affected pages are visited by other users, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution.
WordPress
XSS
-
CVE-2026-4022
MEDIUM
CVSS 6.4
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Show Posts List plugin for WordPress (versions up to 1.1.0) affecting the 'swiftpost-list' shortcode's 'post_type' attribute due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level privileges or higher can inject arbitrary JavaScript code into pages, which executes whenever any user views the compromised page. With a CVSS score of 6.4 and network-accessible attack vector requiring only low privileges, this represents a moderate-priority vulnerability for WordPress installations using this plugin, particularly those with multi-user environments.
WordPress
XSS
-
CVE-2026-4004
MEDIUM
CVSS 6.5
The Task Manager plugin for WordPress (all versions up to 3.0.2) contains an arbitrary shortcode execution vulnerability in the AJAX search callback function due to missing capability checks and insufficient input validation. Authenticated attackers with Subscriber-level privileges and above can inject malicious shortcode syntax into search parameters to execute arbitrary shortcodes on the WordPress site, potentially leading to code execution and site compromise. The vulnerability is classified with a CVSS 3.1 score of 6.5 and has been reported by Wordfence security researchers.
Code Injection
WordPress
RCE
-
CVE-2026-3997
MEDIUM
CVSS 6.4
The Text Toggle WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to 1.1 affecting the 'title' shortcode attribute of the [tt_part] and [tt] shortcodes. Authenticated attackers with Contributor-level privileges or above can inject arbitrary HTML attributes and event handlers by breaking out of the title attribute context, allowing malicious scripts to execute in the browsers of any user viewing affected pages. The vulnerability is classified as medium severity (CVSS 6.4) and requires authentication, but impacts site integrity and visitor security across any WordPress installation using this plugin.
WordPress
XSS
-
CVE-2026-3996
MEDIUM
CVSS 6.4
The WP Games Embed WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to 0.1beta due to insufficient input sanitization and output escaping of shortcode attributes. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript through shortcode parameters such as 'width', 'height', 'src', 'title', 'description', 'game_url', 'main', and 'thumb', which are directly concatenated into HTML output without escaping. When other users visit pages containing the malicious shortcode, the injected scripts execute in their browsers, potentially allowing session hijacking, credential theft, or malware distribution.
WordPress
XSS
-
CVE-2026-3651
MEDIUM
CVSS 5.3
The Build App Online WordPress plugin contains an authentication bypass vulnerability in the 'build-app-online-update-vendor-product' AJAX action that allows unauthenticated attackers to modify post metadata without authorization. Affected versions are up to and including 1.0.23 as confirmed via CPE (cpe:2.3:a:hakeemnala:build_app_online). Attackers can orphan posts by setting the post_author field to 0 or, if authenticated, claim ownership of arbitrary posts by reassigning authorship, resulting in unauthorized content modification with medium integrity impact (CVSS 5.3).
WordPress
Authentication Bypass
-
CVE-2026-3645
MEDIUM
CVSS 5.3
The Punnel - Landing Page Builder WordPress plugin contains a critical missing authorization vulnerability in the save_config() AJAX function that allows authenticated attackers with Subscriber-level privileges to overwrite the plugin's configuration and API key without proper capability checks or nonce verification. Combined with an insecure public API endpoint (sniff_requests()) that only validates requests via token comparison, attackers can subsequently create, update, or delete arbitrary posts, pages, and products on affected WordPress installations. The vulnerability affects all versions up to and including 1.3.1 and has been documented by Wordfence with publicly available code references.
Authentication Bypass
WordPress
PHP
-
CVE-2026-3641
MEDIUM
CVSS 5.3
The Appmax WordPress plugin versions up to 1.0.3 contain an improper input validation vulnerability in its public REST API webhook endpoint at /webhook-system that fails to authenticate, verify signatures, or validate the authenticity of incoming webhook requests. Unauthenticated attackers can exploit this by crafting malicious webhook payloads to modify existing WooCommerce order statuses, create arbitrary new orders and products with attacker-controlled data, and inject arbitrary metadata into orders. With a CVSS score of 5.3 (medium severity), an CVSS vector indicating network accessibility with low attack complexity and no authentication required, and confirmed vulnerability references in the official WordPress plugin repository, this vulnerability poses a significant integrity risk to e-commerce sites using the affected plugin.
Information Disclosure
WordPress
-
CVE-2026-3619
MEDIUM
CVSS 6.4
The Sheets2Table WordPress plugin versions up to 0.4.1 contain a Stored Cross-Site Scripting (XSS) vulnerability in the [sheets2table-render-table] shortcode's 'titles' attribute, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript that executes for all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the display_table_header() function, where user-supplied shortcode attributes are echoed directly into HTML without proper escaping mechanisms such as esc_html().
WordPress
XSS
-
CVE-2026-3617
MEDIUM
CVSS 6.4
This vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the PayPal Shortcodes WordPress plugin affecting all versions up to and including 0.3. The plugin fails to properly sanitize and escape the 'amount' and 'name' shortcode attributes, allowing authenticated attackers with Contributor-level access or higher to inject malicious JavaScript that executes for all users viewing affected pages. With a CVSS score of 6.4 and network-based attack vector, this represents a moderate-severity threat to WordPress installations using this plugin, particularly those with multiple contributor accounts.
WordPress
XSS
-
CVE-2026-3570
MEDIUM
CVSS 5.3
The Smarter Analytics WordPress plugin (all versions up to 2.0) contains an authentication bypass vulnerability that allows unauthenticated attackers to reset plugin configuration and delete all analytics settings via the 'reset' parameter in the global scope of smarter-analytics.php. This is a missing authentication and capability check vulnerability (CWE-862) with a CVSS score of 5.3, classified as moderate severity with low attack complexity and no authentication required. The vulnerability is publicly documented via Wordfence threat intelligence with direct references to the vulnerable code in the WordPress plugin repository, though no active exploitation in the wild or public proof-of-concept has been widely reported.
WordPress
PHP
Authentication Bypass
-
CVE-2026-3554
MEDIUM
CVSS 6.4
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Sherk Custom Post Type Displays WordPress plugin (versions up to 1.2.1) where the 'title' shortcode attribute is insufficiently sanitized and directly concatenated into HTML output without escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes for all users viewing affected pages. The vulnerability has a CVSS score of 6.4 (Medium) with a local privilege requirement, making it exploitable by lower-privileged authenticated users rather than unauthenticated remote attackers.
WordPress
PHP
XSS
-
CVE-2026-3546
MEDIUM
CVSS 5.3
The e-shot form builder plugin for WordPress contains a sensitive information exposure vulnerability in the eshot_form_builder_get_account_data() AJAX handler that is accessible to any authenticated user without capability checks or nonce verification. An attacker with Subscriber-level access or higher can extract the e-shot API token and subaccount information by calling this AJAX endpoint, potentially compromising the victim's e-shot platform account. The vulnerability affects all versions up to and including 1.0.2, and while this CVE does not appear in the KEV catalog or have public proof-of-concept code readily available, the CVSS score of 5.3 reflects moderate risk due to the low attack complexity and lack of user interaction required.
WordPress
Information Disclosure
-
CVE-2026-3506
MEDIUM
CVSS 5.3
The WP-Chatbot for Messenger WordPress plugin versions up to 4.9 contains an authorization bypass vulnerability that allows unauthenticated attackers to overwrite critical chatbot configuration options, specifically the MobileMonkey API token and company ID. This enables attackers to hijack the site's chatbot functionality and redirect visitor conversations to attacker-controlled accounts without requiring any authentication or user interaction. The vulnerability has a CVSS score of 5.3 with a network attack vector and no privilege requirements, making it readily exploitable by any remote attacker.
WordPress
Authentication Bypass
-
CVE-2026-3460
MEDIUM
CVSS 5.3
The REST API TO MiniProgram plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated attackers with Subscriber-level access to modify arbitrary users' WeChat shop metadata by exploiting a permission validation flaw. The vulnerability affects all versions up to and including 5.1.2, where the permission callback validates one parameter (openid) but the actual modification function uses a different attacker-controlled parameter (userid) without cross-validation. Attackers can exploit this via the REST API to alter storeinfo, storeappid, and storename fields for any user account, potentially disrupting store operations or impersonating legitimate shop owners.
Information Disclosure
WordPress
-
CVE-2026-3354
MEDIUM
CVSS 4.4
The Wikilookup plugin for WordPress versions up to 1.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'Popup Width' setting due to insufficient input sanitization and output escaping. Authenticated attackers with Administrator-level access can inject arbitrary JavaScript that executes for all users viewing affected pages, but only in multi-site installations or where the unfiltered_html capability has been disabled. With a CVSS score of 4.4 and high attack complexity requirements, this represents a low-to-moderate real-world threat that requires both administrative access and specific WordPress configurations to exploit.
WordPress
XSS
-
CVE-2026-3353
MEDIUM
CVSS 4.4
The Comment SPAM Wiper plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'API Key' setting that allows authenticated administrators to inject arbitrary JavaScript code. This vulnerability affects multi-site WordPress installations and those with the unfiltered_html capability disabled, impacting versions up to and including 1.2.1. While the CVSS score of 4.4 is moderate and exploitation requires high-privilege access (Administrator level), the stored nature of the XSS means injected scripts execute for all users accessing affected pages, creating persistent exposure.
WordPress
XSS
-
CVE-2026-3347
MEDIUM
CVSS 5.5
A Stored Cross-Site Scripting vulnerability exists in the Multi Functional Flexi Lightbox WordPress plugin (versions up to and including 1.2) that allows authenticated administrators to inject arbitrary JavaScript code via the arv_lb[message] parameter. The vulnerability stems from insufficient input sanitization in the arv_lb_options_val() callback function and missing output escaping in the genLB() function, enabling malicious scripts to execute in the browsers of any user viewing pages or posts with the lightbox enabled. With a CVSS score of 5.5 and requiring high-privilege administrator access, this represents a moderate but real risk primarily applicable to compromised or malicious admin accounts.
WordPress
XSS
-
CVE-2026-3335
MEDIUM
CVSS 5.3
The Canto plugin for WordPress (versions up to 3.1.1) contains a critical missing authorization vulnerability in the copy-media.php file and related endpoints that allows unauthenticated attackers to upload arbitrary files to the WordPress uploads directory. The vulnerability stems from multiple PHP files being directly accessible without authentication, nonce validation, or authorization checks, while also accepting attacker-controlled parameters for API endpoints and domain configuration. An attacker can exploit this to upload malicious files (within WordPress MIME type constraints) or redirect legitimate file operations to attacker-controlled infrastructure, potentially leading to remote code execution or site compromise.
WordPress
PHP
Authentication Bypass
-
CVE-2026-3333
MEDIUM
CVSS 6.4
A Stored Cross-Site Scripting (XSS) vulnerability exists in the MinhNhut Link Gateway WordPress plugin versions up to and including 3.6.1, where the 'linkgate' shortcode fails to properly sanitize and escape user-supplied attributes. Authenticated attackers with Contributor-level access or higher can inject malicious JavaScript that persists in pages and executes for all users who view those pages. The vulnerability has a CVSS 3.1 score of 6.4 with a network attack vector and low complexity, indicating practical exploitability by lower-privileged authenticated users.
WordPress
XSS
-
CVE-2026-3332
MEDIUM
CVSS 4.3
The Xhanch - My Advanced Settings WordPress plugin (versions up to 1.1.2) contains a Cross-Site Request Forgery vulnerability in its settings update handler due to missing nonce validation, allowing unauthenticated attackers to modify plugin settings if they can trick an administrator into clicking a malicious link. The vulnerability is particularly dangerous because unescaped output of the `favicon_url` and `ga_acc_id` settings enables a CSRF-to-Stored XSS chain, where injected payloads persist and affect all site visitors. While no active exploitation in the wild has been confirmed in public records and the CVSS score of 4.3 is relatively low, the attack requires only user interaction and results in stored cross-site scripting on the front-end.
Google
WordPress
CSRF
XSS
-
CVE-2026-3331
MEDIUM
CVSS 4.3
The Lobot Slider Administrator WordPress plugin (versions up to 0.6.0) contains a Cross-Site Request Forgery (CSRF) vulnerability in the fourty_slider_options_page function due to missing or incorrect nonce validation. This allows unauthenticated attackers to modify plugin slider-page configuration by tricking site administrators into clicking malicious links, potentially altering slider settings and website presentation. The vulnerability carries a moderate CVSS score of 4.3 with low attack complexity, requiring only user interaction and no privileges.
WordPress
CSRF
-
CVE-2026-2837
MEDIUM
CVSS 4.4
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Ricerca - advanced search WordPress plugin affecting all versions up to and including 1.1.12, caused by insufficient input sanitization and output escaping in the plugin's settings interface. Only authenticated administrators on multi-site WordPress installations or those with unfiltered_html disabled are able to inject malicious scripts that execute for all users viewing affected pages. The CVSS score of 4.4 reflects the requirement for high-privilege administrative access and specific configuration conditions, though the impact remains meaningful given the scope of affected multi-site deployments.
WordPress
XSS
-
CVE-2026-2756
MEDIUM
CVSS 5.0
OmniPEMF NeoRhythm contains a missing authentication vulnerability in its Bluetooth Low Energy (BLE) interface that allows unauthenticated local network attackers to achieve limited unauthorized access. The vulnerability affects all versions up to and including 20260308 and requires high attack complexity but results in confidentiality, integrity, and availability impacts. While the CVSS score is moderate at 5.0, the vendor has failed to respond to early disclosure notifications, leaving affected users without official patches or timeline guidance.
Authentication Bypass
-
CVE-2026-2723
MEDIUM
CVSS 6.1
The Post Snippits WordPress plugin for all versions up to and including 1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation on settings page handlers that manage snippet creation, modification, and deletion. Unauthenticated attackers can exploit this by crafting malicious requests that, when clicked by an administrator, allow injection of arbitrary scripts and modification of plugin settings, potentially leading to site compromise. The vulnerability has a CVSS score of 6.1 with a network attack vector requiring user interaction.
WordPress
CSRF
-
CVE-2026-2720
MEDIUM
CVSS 6.5
The Hr Press Lite WordPress plugin (versions up to 1.0.2) contains a missing capability check vulnerability in the hrp-fetch-employees AJAX action that allows authenticated attackers with Subscriber-level access to retrieve sensitive employee information including names, email addresses, phone numbers, salary data, employment dates, and employment status. This represents a clear privilege escalation and information disclosure flaw with a CVSS score of 6.5 (Medium severity, high confidentiality impact) affecting all versions of the plugin distributed through the WordPress plugin repository.
Authentication Bypass
WordPress
-
CVE-2026-2503
MEDIUM
CVSS 6.5
The ElementCamp plugin for WordPress contains a time-based SQL injection vulnerability in the 'tcg_select2_search_post' AJAX action through improper validation of the 'meta_query[compare]' parameter. Authenticated attackers with Author-level privileges or higher can inject arbitrary SQL operators to extract sensitive database information, as the vulnerable code places user-supplied comparison operators directly into SQL queries without allowlist validation, rendering esc_sql() ineffective for operator-level payloads. The CVSS score of 6.5 reflects moderate severity with high confidentiality impact but no integrity or availability impact, limited to authenticated users with elevated privileges.
WordPress
SQLi
-
CVE-2026-2501
MEDIUM
CVSS 6.4
Ed's Social Share plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the social_share shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. All versions up to and including 2.0 are affected, allowing authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript that executes for all users viewing the compromised page. With a CVSS score of 6.4 and network-accessible attack vector requiring only low privileges, this vulnerability poses a moderate-to-significant risk in multi-author WordPress environments.
WordPress
XSS
-
CVE-2026-2496
MEDIUM
CVSS 6.4
Ed's Font Awesome plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the eds_font_awesome shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. All versions up to and including 2.0 are affected, allowing authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript that persists in pages and executes for all users viewing those pages. No evidence of active exploitation in the wild (KEV status unknown), but the vulnerability is straightforward to exploit given contributor access and represents a persistent compromise vector.
WordPress
XSS
-
CVE-2026-2427
MEDIUM
CVSS 6.1
The itsukaita WordPress plugin contains a Reflected Cross-Site Scripting (XSS) vulnerability in the 'day_from' and 'day_to' parameters due to insufficient input sanitization and output escaping. All versions up to and including 0.1.2 are affected, allowing unauthenticated attackers to inject arbitrary web scripts that execute in administrator browsers if they click a malicious link. With a CVSS score of 6.1 (Medium) and a requirement for user interaction (UI:R), this vulnerability poses a moderate but real threat to WordPress installations using this plugin.
WordPress
XSS
-
CVE-2026-2424
MEDIUM
CVSS 4.4
The Reward Video Ad for WordPress plugin (all versions up to 1.6) contains a Stored Cross-Site Scripting (XSS) vulnerability in its admin settings due to insufficient input sanitization and output escaping on fields including Account ID, Message before the video, and color parameters. This allows authenticated administrators to inject arbitrary JavaScript that executes whenever any user accesses an affected page, potentially compromising site visitors. The vulnerability requires Administrator-level access to exploit, limiting the attack surface to high-privilege accounts, though once injected, the malicious scripts execute with no further user interaction required.
WordPress
XSS
-
CVE-2026-2375
MEDIUM
CVSS 6.5
The App Builder - Create Native Android & iOS Apps On The Flight WordPress plugin up to version 5.5.10 contains a privilege escalation vulnerability in its REST API registration endpoint that allows unauthenticated attackers to register accounts with the wcfm_vendor role, bypassing WCFM Marketplace's vendor approval workflow. The verify_role() function in AuthTrails.php explicitly whitelists the wcfm_vendor role without proper authorization checks, enabling attackers to immediately gain vendor-level privileges including product management, order access, and store management on affected WordPress installations. This vulnerability has a CVSS score of 6.5 with low attack complexity and no authentication requirements, making it a moderate-to-significant risk for WordPress sites using both this plugin and WCFM Marketplace.
Apple
Google
WordPress
PHP
Privilege Escalation
-
CVE-2026-2351
MEDIUM
CVSS 6.5
The Task Manager plugin for WordPress contains an arbitrary file read vulnerability in the callback_get_text_from_url() function that allows authenticated attackers with Subscriber-level privileges and above to read sensitive files from the server. This information disclosure vulnerability affects all versions up to and including 3.0.2 of the eoxia Task Manager plugin. The vulnerability has a CVSS score of 6.5 and presents moderate real-world risk due to its low attack complexity and the prevalence of WordPress installations, though exploitation requires valid user credentials.
WordPress
Information Disclosure
-
CVE-2026-2294
MEDIUM
CVSS 4.3
UiPress lite plugin for WordPress through version 3.5.09 fails to validate user permissions on the global settings modification function, allowing authenticated subscribers and higher-privileged users to arbitrarily alter plugin configurations. This insufficient access control enables attackers to modify sensitive settings despite lacking administrative rights. A patch is not currently available.
Authentication Bypass
WordPress
-
CVE-2026-2277
MEDIUM
CVSS 6.1
The rexCrawler WordPress plugin contains a Reflected Cross-Site Scripting (XSS) vulnerability in the search-pattern tester page that allows unauthenticated attackers to inject arbitrary web scripts via inadequately sanitized 'url' and 'regex' parameters. Affected versions are up to and including 1.0.15 (CPE: cpe:2.3:a:larsdrasmussen:rexcrawler:*:*:*:*:*:*:*:*), with exploitation requiring social engineering to trick administrators into clicking a malicious link. This vulnerability is limited to WordPress multisite installations or sites where the unfiltered_html capability has been disabled, and carries a CVSS v3.1 score of 6.1 with an AV:N/AC:L/PR:N/UI:R/S:C profile indicating network-based exploitation with user interaction required.
WordPress
XSS
-
CVE-2026-2121
MEDIUM
CVSS 4.4
The Weaver Show Posts plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'add_class' parameter due to insufficient input sanitization and output escaping. Authenticated attackers with Administrator-level access can inject arbitrary web scripts that execute when users access injected pages, with particular impact in multisite installations where Administrators lack the unfiltered_html capability. A proof-of-concept demonstration exists, though the CVSS 4.4 score reflects the high privilege requirement needed for exploitation.
WordPress
XSS
-
CVE-2026-1935
MEDIUM
CVSS 4.3
The Company Posts for LinkedIn WordPress plugin (versions up to 1.0.0) contains a missing authorization vulnerability in the linkedin_company_post_reset_handler() function that allows authenticated attackers with Subscriber-level privileges to delete LinkedIn post data from the site's options table without proper capability checks. This is a privilege escalation flaw where low-privileged users can perform administrative actions. While the CVSS score is moderate at 4.3 and reflects limited integrity impact without confidentiality or availability concerns, the vulnerability enables unauthorized modification of site configuration data by any authenticated user.
Authentication Bypass
WordPress
-
CVE-2026-1914
MEDIUM
CVSS 6.4
The FuseDesk WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the fusedesk_newcase shortcode that fails to properly sanitize and escape the 'emailtext' attribute. Authenticated attackers with Contributor-level access or higher can inject malicious scripts into WordPress pages that execute for all subsequent visitors. The vulnerability affects all versions up to and including 6.8, with a CVSS score of 6.4 indicating moderate severity; no KEV or active exploitation data is currently documented, but the low attack complexity and network accessibility make this a meaningful concern for multi-user WordPress installations.
WordPress
XSS
-
CVE-2026-1911
MEDIUM
CVSS 6.4
The Twitter Feeds plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'tweet_title' parameter of the TwitterFeeds shortcode due to insufficient input sanitization and output escaping. All versions up to and including 1.0.0 are affected, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript that persists in pages and executes for all users who view the compromised content. With a CVSS score of 6.4 (Medium) and CWE-79 classification, this vulnerability poses a meaningful risk to WordPress sites using this plugin, particularly those with permissive user role assignments.
WordPress
XSS
-
CVE-2026-1908
MEDIUM
CVSS 6.4
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Integration with Hubspot Forms WordPress plugin (all versions up to 1.2.2) due to insufficient input sanitization and output escaping on shortcode attributes. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript into pages via the 'hubspotform' shortcode, which executes whenever users access the compromised page. While no public exploit-in-the-wild activity has been reported, the vulnerability is straightforward to exploit and poses a moderate risk given the low privilege requirement and broad attack surface in WordPress environments.
WordPress
XSS
-
CVE-2026-1899
MEDIUM
CVSS 6.4
The Any Post Slider WordPress plugin versions up to 1.0.4 contain a Stored Cross-Site Scripting (XSS) vulnerability in the aps_slider shortcode due to insufficient input sanitization and output escaping on the 'post_type' attribute. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that persists in pages and executes for all users who view the injected content. With a CVSS score of 6.4 and attack complexity marked as low, this represents a moderate-severity threat primarily affecting multi-user WordPress installations where contributor access is delegated.
WordPress
XSS
-
CVE-2026-1891
MEDIUM
CVSS 6.4
The Simple Football Scoreboard plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'ytmr_fb_scoreboard' shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. All versions up to and including 1.0 are affected, allowing authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript that executes for all users viewing the compromised page. With a CVSS score of 6.4 and network-based attack vector requiring only low privileges, this represents a moderate but exploitable threat to WordPress sites using this plugin.
WordPress
XSS
-
CVE-2026-1889
MEDIUM
CVSS 6.4
The Outgrow WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.1, affecting the 'id' attribute of the 'outgrow' shortcode due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access and above can inject arbitrary JavaScript that executes for all users viewing affected pages. With a CVSS score of 6.4 and moderate attack complexity, this vulnerability poses a real threat to WordPress sites using this plugin, as privilege escalation through stored XSS could enable further compromise.
WordPress
XSS
-
CVE-2026-1886
MEDIUM
CVSS 6.4
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Go Night Pro WordPress Dark Mode Plugin affecting all versions up to and including 1.1.0, where the 'margin' attribute of the 'go-night-pro-shortcode' shortcode fails to properly sanitize and escape user input. Authenticated attackers with contributor-level access or above can inject arbitrary JavaScript code into pages, which executes when other users access the affected pages. This vulnerability carries a CVSS score of 6.4 (Medium) with network-based attack vector and low complexity, requiring valid WordPress credentials but affecting site-wide script execution with potential impact on user data and site integrity.
WordPress
XSS
-
CVE-2026-1854
MEDIUM
CVSS 6.4
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Post Flagger WordPress plugin for all versions up to and including 1.1, caused by insufficient input sanitization and output escaping in the 'flag' shortcode's user-supplied attributes. Authenticated attackers with contributor-level access or higher can inject arbitrary JavaScript code into pages, which executes for all users who view those pages. This vulnerability has a CVSS score of 6.4 (Medium) and is confirmed in the WordPress plugin repository; no evidence of active exploitation or public proof-of-concept is currently documented, but the straightforward nature of the vulnerability suggests exploitation potential.
WordPress
XSS
-
CVE-2026-1851
MEDIUM
CVSS 6.4
The iVysilani Shortcode WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'width' shortcode attribute due to insufficient input sanitization and output escaping. All versions up to and including 3.0 are affected, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript that persists in page content and executes for all subsequent site visitors. The vulnerability has been documented by Wordfence with proof-of-concept code available in the WordPress plugin repository, presenting a significant risk to WordPress installations relying on this plugin.
WordPress
XSS
-
CVE-2026-1822
MEDIUM
CVSS 6.4
The WP NG Weather plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'ng-weather' shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. All versions up to and including 1.0.9 are affected, allowing authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript that executes when users visit pages containing the malicious shortcode. With a CVSS score of 6.4 and network-accessible attack vector, this vulnerability poses a moderate risk to WordPress installations using this plugin.
WordPress
XSS
-
CVE-2026-1806
MEDIUM
CVSS 6.4
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Tour & Activity Operator Plugin for TourCMS (all versions up to 1.7.0) affecting WordPress installations. The vulnerability resides in the 'target' parameter of the tourcms_doc_link shortcode, where insufficient input sanitization and output escaping allows authenticated attackers with Contributor-level privileges and above to inject arbitrary JavaScript code that executes in the browsers of users visiting affected pages. With a CVSS score of 6.4 and network-based attack vector requiring only low privileges, this represents a moderate but exploitable risk to WordPress sites using this plugin.
WordPress
XSS
-
CVE-2026-1647
MEDIUM
CVSS 6.1
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the Comment Genius WordPress plugin versions up to 1.2.5, where the PHP_SELF server variable is insufficiently sanitized and escaped in output, allowing unauthenticated attackers to inject arbitrary JavaScript code. Affected users are WordPress site administrators and visitors who can be tricked into clicking malicious links. The vulnerability has a CVSS score of 6.1 (Medium) with network accessibility and low complexity, though it requires user interaction to execute.
WordPress
XSS
-
CVE-2026-1575
MEDIUM
CVSS 6.4
The Schema Shortcode plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the `itemscope` shortcode that allows authenticated attackers with contributor-level access or higher to inject arbitrary malicious scripts into pages. These injected scripts execute whenever any user accesses the affected page, potentially compromising visitor sessions and data. With a CVSS score of 6.4 and confirmed vulnerability through Wordfence intelligence, this represents a meaningful risk to WordPress sites using this plugin, though exploitation requires authenticated access rather than unauthenticated exploitation.
WordPress
XSS
-
CVE-2026-1503
MEDIUM
CVSS 4.3
The login_register plugin for WordPress versions up to 1.2.0 contains a combined Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) vulnerability due to missing nonce validation and insufficient input sanitization on the settings page. Unauthenticated attackers can craft malicious links to trick administrators into injecting arbitrary JavaScript that persists and executes for all users accessing affected pages. While the CVSS score is moderate at 4.3, the vulnerability requires user interaction (administrator click) but enables persistent script injection with potential for credential theft or further compromise.
WordPress
XSS
CSRF
-
CVE-2026-1397
MEDIUM
CVSS 6.4
The PQ Addons - Creative Elementor Widgets plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Section Title widget's html_tag parameter due to insufficient input sanitization and output escaping. All versions up to and including 1.0.0 are affected, allowing authenticated attackers with contributor-level access or above to inject arbitrary JavaScript that executes when users view affected pages. The vulnerability has a CVSS score of 6.4 (Medium) and exploits are possible since the attack requires only low privilege levels and no user interaction beyond page access.
WordPress
XSS
-
CVE-2026-1393
MEDIUM
CVSS 4.3
The Add Google Social Profiles to Knowledge Graph Box WordPress plugin (all versions up to 1.0) contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation on its settings update functionality. An unauthenticated attacker can forge malicious requests to modify the plugin's Knowledge Graph settings if they can trick a site administrator into clicking a malicious link. While the CVSS score of 4.3 is moderate, the attack requires user interaction and has no confidentiality impact, making it a lower-severity real-world threat despite being easily exploitable.
Google
WordPress
CSRF
-
CVE-2026-1392
MEDIUM
CVSS 4.3
The SR WP Minify HTML plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation in the sr_minify_html_theme() function, affecting all versions up to and including 2.1. An unauthenticated attacker can exploit this vulnerability to modify plugin settings by tricking a site administrator into clicking a malicious link, potentially allowing unauthorized changes to site minification configuration. While the CVSS score of 4.3 is moderate and no KEV status or active exploitation has been confirmed, the vulnerability remains exploitable against WordPress installations with this plugin active.
WordPress
CSRF
-
CVE-2026-1390
MEDIUM
CVSS 4.3
The Redirect Countdown WordPress plugin for all versions up to and including 1.0 contains a Cross-Site Request Forgery vulnerability in the countdown_settings_content() function due to missing nonce validation. An unauthenticated attacker can trick a site administrator into clicking a malicious link to modify critical plugin settings including countdown timeout, redirect URL, and custom text. With a CVSS score of 4.3 and network-accessible attack vector, this vulnerability has moderate real-world impact despite low baseline severity, as it directly affects site functionality and user experience.
WordPress
CSRF
-
CVE-2026-1378
MEDIUM
CVSS 4.3
The WP Posts Re-order WordPress plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.0 due to missing nonce validation in the cpt_plugin_options() function. An unauthenticated attacker can exploit this to modify critical plugin settings including capability, autosort, and adminsort configurations by tricking a site administrator into clicking a malicious link. The vulnerability has a CVSS score of 4.3 (medium severity) with low attack complexity and requires user interaction, and while no public exploit code has been reported, the straightforward nature of CSRF attacks means proof-of-concept development is trivial.
WordPress
CSRF
-
CVE-2026-1278
MEDIUM
CVSS 4.4
The Mandatory Field plugin for WordPress versions up to 1.6.8 contains a Stored Cross-Site Scripting (XSS) vulnerability in its admin settings due to insufficient input sanitization and output escaping. Authenticated administrators can inject arbitrary JavaScript that executes for all users accessing affected pages, but exploitation is limited to multi-site WordPress installations or those with unfiltered_html disabled. With a CVSS score of 4.4 and high attack complexity, this represents a moderate-severity privilege escalation risk for WordPress administrators seeking to inject malicious scripts; no public POC or active exploitation has been indicated in KEV data.
WordPress
XSS
-
CVE-2026-1275
MEDIUM
CVSS 6.4
The Multi Post Carousel by Category WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'slides' shortcode attribute due to insufficient input sanitization and output escaping in the post_slides_shortcode function. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript code into pages, and the malicious script will execute whenever any user visits the affected page. With a CVSS score of 6.4 and confirmed vulnerability across all versions up to and including 1.4, this represents a moderate-risk vulnerability primarily affecting WordPress sites using this plugin.
WordPress
XSS
-
CVE-2026-1253
MEDIUM
CVSS 4.3
The Group Chat & Video Chat by AtomChat WordPress plugin (versions up to 1.1.7) contains a missing capability check vulnerability in the 'atomchat_update_auth_ajax' and 'atomchat_update_layout_ajax' AJAX handlers, allowing authenticated Subscriber-level users and above to arbitrarily modify plugin options including API keys and authentication credentials. With a CVSS score of 5.3 and network-based attack vector requiring only authentication (not admin privileges), this represents a medium-severity privilege escalation and configuration tampering issue affecting WordPress installations using this plugin. No evidence of active exploitation in the wild has been documented at this time, though the straightforward nature of the vulnerability (missing capability checks) suggests proof-of-concept code could be easily developed.
Authentication Bypass
WordPress
-
CVE-2026-1247
MEDIUM
CVSS 4.4
The Survey plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in administrative settings due to insufficient input sanitization and output escaping, affecting all versions up to and including 1.1. Authenticated attackers with administrator-level permissions can inject arbitrary JavaScript code that executes when users access affected pages, though this is restricted to multi-site installations or those with unfiltered_html disabled. With a CVSS score of 4.4 and high attack complexity requiring administrator privileges, the real-world risk is moderate; no public exploit code or KEV status has been indicated, making this a lower-priority remediation compared to critical vulnerabilities.
WordPress
XSS
-
CVE-2026-1093
MEDIUM
CVSS 6.4
The WPFAQBlock plugin for WordPress contains a Stored Cross-Site Scripting vulnerability in the 'class' parameter of the 'wpfaqblock' shortcode, affecting all versions up to and including 1.1. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that persists in pages and executes for all users visiting those pages. With a CVSS score of 6.4 and low attack complexity, this represents a moderate-to-significant risk for WordPress installations using this plugin, particularly on multi-author sites where contributor accounts may be compromised or malicious.
WordPress
XSS
-
CVE-2026-0609
MEDIUM
CVSS 6.4
A Stored Cross-Site Scripting (XSS) vulnerability exists in the Logo Slider WordPress plugin (versions up to 4.9.0) that allows authenticated attackers with author-level privileges to inject malicious scripts through image alt text in the 'logo-slider' shortcode. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent script execution whenever users access pages containing the injected content. With a CVSS score of 6.4 and moderate real-world exploitability, this represents a credible threat to WordPress sites with multiple trusted authors.
WordPress
XSS
-
CVE-2025-13910
MEDIUM
CVSS 6.1
The WP-WebAuthn WordPress plugin contains an unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in the wwa_auth AJAX endpoint that allows attackers to inject arbitrary JavaScript into the plugin's log page. Affected are all versions up to and including 1.3.4 of the plugin (identified via CPE cpe:2.3:a:axton:wp-webauthn:*:*:*:*:*:*:*:*), which is exploitable only when logging is enabled in plugin settings. The vulnerability stems from insufficient input sanitization and output escaping of user-supplied attributes, enabling persistent XSS execution whenever administrators or authorized users access the logging interface.
WordPress
XSS
PHP
-
CVE-2024-13785
MEDIUM
CVSS 5.6
The The Contact Form, Survey, Quiz & Popup Form Builder - ARForms plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.2. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
RCE
WordPress
Code Injection
-
CVE-2026-32897
LOW
CVSS 3.7
OpenClaw versions prior to 2026.2.22 suffer from cryptographic secret reuse where the gateway authentication token is inappropriately reused as a fallback hashing secret for owner-ID obfuscation in system prompts sent to third-party model providers. An unauthenticated attacker with visibility into system prompts (such as through model provider logs, prompt injection, or interception) can reverse-engineer the gateway authentication token from hash outputs when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, directly compromising authentication security. The vulnerability has a low CVSS score of 3.7 due to high attack complexity and limited impact scope, but represents a critical cryptographic design flaw that violates separation-of-concerns principles across security domains.
Information Disclosure
-
CVE-2026-32067
LOW
CVSS 3.7
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control mechanism for direct message pairing policies, allowing attackers to reuse pairing approvals across multiple accounts in multi-account deployments. An authenticated attacker (PR:L) who has been approved as a sender in one account can be automatically accepted in another account without explicit re-approval, effectively bypassing authorization boundaries between accounts. The vulnerability has a CVSS score of 3.7 with medium attack complexity and low confidentiality and integrity impacts; no active exploitation in the wild (KEV) or public proof-of-concept has been confirmed, but patches are available from the vendor.
Authentication Bypass
-
CVE-2026-32058
LOW
CVSS 2.6
OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness that allows attackers to reuse previously approved system.run execution requests with modified environment variables, bypassing approval-enabled workflow integrity controls. An attacker with access to an approval ID can exploit this vulnerability to execute commands with different environment settings than originally approved, effectively circumventing execution-integrity safeguards. The vulnerability requires local/network access and user interaction, resulting in a low CVSS score of 2.6, but represents a meaningful integrity violation in approval workflows where execution consistency is critical.
Authentication Bypass
-
CVE-2026-32050
LOW
CVSS 3.7
OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in the signal reaction notification handling mechanism that allows unauthenticated attackers to enqueue status events before authorization checks are performed. Attackers can exploit the reaction-only event path in event-handler.ts to inject signal reaction status lines into sessions without validating proper DM or group access permissions, resulting in integrity compromise. The vulnerability has a CVSS score of 3.7 (low-to-moderate severity) with an attack vector of network, high complexity, and no privileges required, though no active exploitation or public proof-of-concept has been confirmed in known exploit databases.
Authentication Bypass
-
CVE-2026-2290
LOW
CVSS 3.8
The Post Affiliate Pro WordPress plugin versions up to 1.28.0 contain a Server-Side Request Forgery (SSRF) vulnerability that allows authenticated administrators to make arbitrary outbound web requests from the affected server and read response content. An attacker with administrator-level access can exploit this to interact with internal services, exfiltrate data, or pivot to other systems. Wordfence has confirmed exploitation via external Collaborator endpoints, and the CVSS 6.5 score reflects moderate severity with low attack complexity.
WordPress
SSRF