Skip to main content
CVE-2026-32045 MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in HTTP gateway routes due to incorrect application of tokenless Tailscale header authentication. Attackers on trusted networks can access HTTP gateway routes without providing required token or password credentials, potentially exposing sensitive functionality. A patch is available from the vendor, and this vulnerability has been disclosed publicly via GitHub Security Advisory GHSA-hff7-ccv5-52f8.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-4528 MEDIUM POC This Month

A Server-Side Request Forgery (SSRF) vulnerability exists in the validateUrlSecurity function within trueleaf ApiFlow version 0.9.7's URL validation handler. This flaw allows unauthenticated remote attackers to manipulate server-side requests to access internal resources or perform actions on behalf of the server. A public proof-of-concept exploit has been disclosed and is available, significantly lowering the barrier to exploitation.

SSRF Apiflow
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2019-25570 MEDIUM POC This Month

RealTerm Serial Terminal 2.0.0.70 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Port field. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Realterm
NVD Exploit-DB VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2019-25564 MEDIUM POC This Month

PCHelpWareV2 1.0.0.5 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Group field. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Denial Of Service Buffer Overflow Pchelpwarev2
NVD Exploit-DB VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2019-25562 MEDIUM POC This Month

jetAudio 8.1.7 contains a buffer overflow vulnerability in the video converter component that allows local attackers to crash the application by supplying an oversized string in the File Naming. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Denial Of Service Buffer Overflow Convert Video Jetaudio
NVD Exploit-DB VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-32044 MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability that selectively bypasses safety checks for tar.bz2 skill archives while other formats enforce proper validation. An attacker can craft a malicious tar.bz2 skill archive that circumvents special-entry blocking and extracted-size guardrails, causing local denial of service during skill installation when a user interacts with the installer. This is a local, user-interaction-dependent vulnerability with no authentication required, rated CVSS 5.5 (medium severity) with denial of service impact.

Denial Of Service Openclaw
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-32898 MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP (Approval Control Panel) client that automatically approves tool calls based on untrusted metadata and overly permissive heuristics. An authenticated attacker with PR (privileges required) can bypass interactive approval prompts for read-class operations by spoofing toolCall.kind metadata or using non-core read-like function names to reach auto-approve execution paths. This vulnerability enables unauthorized information disclosure and modification without user interaction, and while not currently listed as actively exploited in KEV, proof-of-concept demonstrations are available via vendor security advisories.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32895 MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.26 contain an authentication bypass vulnerability in their Slack system event handlers that fails to properly enforce sender authorization checks. Attackers with low-privilege access (PR:L in CVSS vector) can craft and send unauthorized system events through message_changed, message_deleted, and thread_broadcast event types to bypass Slack DM allowlists and per-channel user allowlists. The vulnerability has a moderate CVSS score of 5.4 with low confidentiality and integrity impact; no KEV or active exploitation has been publicly disclosed, but a patch is available from the vendor.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32046 MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability (CWE-1188) that allows local attackers with low privileges to execute arbitrary code on the host system by exploiting disabled OS-level sandbox protections in the Chromium browser container. The vulnerability does not require a sandbox escape, making exploitation straightforward for local users. A patch is available from the vendor, and the issue was reported by VulnCheck with references to GitHub security advisories and patch commits.

RCE Google Chrome
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4261 HIGH This Week

The Expire Users plugin for WordPress versions up to and including 1.2.2 contains a privilege escalation vulnerability that allows authenticated users with Subscriber-level access or higher to elevate their privileges to administrator level. This occurs because the plugin improperly allows users to update the 'on_expire_default_to_role' meta field through the 'save_extra_user_profile_fields' function without proper authorization checks. With a CVSS score of 8.8 (High severity), this represents a critical security issue for affected WordPress installations, though no active exploitation (KEV) or EPSS data has been reported at this time.

Authentication Bypass WordPress Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-2941 HIGH This Week

The Linksy Search and Replace plugin for WordPress versions up to 1.0.4 contains a missing capability check vulnerability that allows authenticated attackers with subscriber-level access or higher to modify arbitrary database tables. Attackers can exploit this to elevate their privileges to administrator by modifying the wp_capabilities field, achieving complete site takeover. With a CVSS score of 8.8 (High), this represents a critical privilege escalation vulnerability affecting authenticated users with minimal access.

Authentication Bypass WordPress Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3334 HIGH PATCH This Week

The CMS Commander plugin for WordPress contains an SQL Injection vulnerability in all versions up to and including 2.288. Authenticated attackers with API key access can exploit the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in the restore workflow to append malicious SQL queries and extract sensitive database information. With a CVSS score of 8.8, this represents a high-severity vulnerability requiring low attack complexity and low privileges, though no active exploitation (KEV) or public POC has been reported at this time.

WordPress SQLi
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-32065 MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in the system.run function where the rendered command text displayed to approvers has whitespace trimmed from argv tokens, but the actual runtime execution uses the raw, untrimmed argv. An attacker with the ability to influence command arguments and reuse an approval context can craft a trailing-space executable token to execute a different binary than what was approved, resulting in arbitrary command execution under the OpenClaw runtime user. The CVSS score of 4.8 reflects the requirement for local privileges and user interaction, though the integrity impact is marked as high due to the ability to execute unauthorized commands.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-1313 HIGH This Week

The MimeTypes Link Icons plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability affecting all versions up to and including 3.2.20. Authenticated attackers with Contributor-level access or higher can exploit this flaw when the 'Show file size' option is enabled by embedding crafted links in post content, allowing them to make arbitrary HTTP requests from the server to internal or external resources. This enables querying and potentially modifying information from internal services that should not be accessible from the public internet.

WordPress SSRF
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-32899 MEDIUM POC PATCH This Month

OpenClaw fails to consistently apply sender-policy checks to reaction and pin event handlers, allowing authenticated attackers to bypass configured direct message policies and channel user allowlists by injecting unauthorized events from restricted senders. The vulnerability affects OpenClaw versions prior to 2026.2.25, requires low privileges (authenticated user), and enables unauthorized event injection with moderate severity (CVSS 4.3). A patch is available from the vendor, and the vulnerability has been documented in the VulnCheck advisory and GitHub Security Advisory GHSA-rm2p-j3r7-4x4j.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3629 HIGH This Week

The Import and export users and customers plugin for WordPress contains a privilege escalation vulnerability that allows unauthenticated attackers to gain Administrator privileges. All versions up to and including 1.29.7 are affected. The vulnerability can only be exploited when specific configuration conditions are met (the 'Show fields in profile' setting is enabled and a CSV with wp_capabilities column has been previously imported), which increases attack complexity but does not eliminate the critical risk.

WordPress Privilege Escalation
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-14037 HIGH This Week

The Invelity Product Feeds plugin for WordPress contains an arbitrary file deletion vulnerability through path traversal in versions up to and including 1.2.6. Authenticated administrators can be socially engineered into clicking malicious links that delete arbitrary server files due to missing validation in the createManageFeedPage function. No evidence of active exploitation (not in KEV) exists, though the vulnerability is publicly documented with technical details available via WordPress plugin repository references.

CSRF WordPress Path Traversal
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-32897 LOW POC PATCH Monitor

OpenClaw versions prior to 2026.2.22 suffer from cryptographic secret reuse where the gateway authentication token is inappropriately reused as a fallback hashing secret for owner-ID obfuscation in system prompts sent to third-party model providers. An unauthenticated attacker with visibility into system prompts (such as through model provider logs, prompt injection, or interception) can reverse-engineer the gateway authentication token from hash outputs when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, directly compromising authentication security. The vulnerability has a low CVSS score of 3.7 due to high attack complexity and limited impact scope, but represents a critical cryptographic design flaw that violates separation-of-concerns principles across security domains.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-32050 LOW POC PATCH Monitor

OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in the signal reaction notification handling mechanism that allows unauthenticated attackers to enqueue status events before authorization checks are performed. Attackers can exploit the reaction-only event path in event-handler.ts to inject signal reaction status lines into sessions without validating proper DM or group access permissions, resulting in integrity compromise. The vulnerability has a CVSS score of 3.7 (low-to-moderate severity) with an attack vector of network, high complexity, and no privileges required, though no active exploitation or public proof-of-concept has been confirmed in known exploit databases.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-4373 HIGH This Week

The JetFormBuilder plugin for WordPress contains a critical path traversal vulnerability allowing unauthenticated attackers to read arbitrary files from the server. All versions up to and including 3.5.6.2 are affected. Attackers can exploit this to exfiltrate sensitive local files as email attachments by submitting crafted form requests with malicious Media Field payloads, with a CVSS score of 7.5 indicating high confidentiality impact.

WordPress Path Traversal
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-1800 HIGH This Week

The Fonts Manager | Custom Fonts plugin for WordPress contains a time-based SQL injection vulnerability in versions up to and including 1.2. Unauthenticated attackers can exploit the vulnerable 'fmcfIdSelectedFnt' parameter to extract sensitive database information without requiring any privileges or user interaction. The vulnerability has a CVSS score of 7.5, indicating high confidentiality impact, though no KEV listing or EPSS score is provided in the available data.

WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2468 HIGH This Week

The Quentn WP plugin for WordPress contains an SQL Injection vulnerability that allows unauthenticated attackers to extract sensitive database information through a malicious 'qntn_wp_access' cookie value. All versions up to and including 1.2.12 are affected. With a CVSS score of 7.5 and requiring no authentication or user interaction, this represents a significant risk for WordPress sites using this plugin, though no active exploitation (KEV) or public proof-of-concept has been documented at this time.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-3478 HIGH This Week

The Content Syndication Toolkit plugin for WordPress contains an unauthenticated Server-Side Request Forgery vulnerability that allows attackers to make arbitrary HTTP requests from the WordPress server. All versions up to and including 1.3 are affected through a bundled ReduxFramework library that exposes an unprotected AJAX proxy endpoint. Attackers can exploit this to query internal services, scan internal network ports, access cloud metadata endpoints, or interact with internal APIs without any authentication, representing a significant risk for reconnaissance and lateral movement in internal networks.

WordPress SSRF
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-3003 HIGH This Week

The Vagaro Booking Widget plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'vagaro_code' parameter affecting all versions up to and including 0.3. Unauthenticated attackers can inject malicious JavaScript that executes whenever any user visits the compromised page, potentially leading to session hijacking, credential theft, or further site compromise. The CVSS score of 7.2 reflects network-based exploitation with no authentication required and changed scope, indicating the attack can affect resources beyond the vulnerable component.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-2440 HIGH This Week

The SurveyJS WordPress plugin contains a stored cross-site scripting (XSS) vulnerability affecting all versions up to and including 2.5.3. Unauthenticated attackers can submit malicious HTML-encoded payloads through public survey forms that execute when administrators view survey results in the WordPress admin dashboard. With a CVSS score of 7.2 and no authentication required, this represents a significant risk to WordPress sites using this plugin.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-4302 HIGH This Week

The WowOptin: Next-Gen Popup Maker plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability affecting all versions up to and including 1.4.29. An unauthenticated attacker can exploit a publicly accessible REST API endpoint (optn/v1/integration-action) that passes user-supplied URLs directly to wp_remote_get() and wp_remote_post() without validation, allowing arbitrary web requests from the server. This enables querying and modifying information from internal services with a CVSS score of 7.2 (High), though no active exploitation (KEV) or public POC has been documented at this time.

WordPress SSRF
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-1648 HIGH This Week

The Performance Monitor plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability in its REST API endpoint that allows unauthenticated attackers to make arbitrary web requests to internal services using dangerous protocols including Gopher. Versions up to and including 1.0.6 are affected. This vulnerability can be chained with services like Redis to achieve Remote Code Execution, making it a critical security concern despite the 7.2 CVSS score.

Redis WordPress SSRF RCE
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-2279 HIGH PATCH This Week

The myLinksDump plugin for WordPress contains a SQL injection vulnerability in the 'sort_by' and 'sort_order' parameters affecting all versions up to and including 1.6. Authenticated attackers with administrator-level access can exploit insufficient input escaping and inadequate SQL query preparation to append malicious SQL queries and extract sensitive database information. While requiring high privileges (PR:H), the vulnerability has a CVSS score of 7.2 with high impact to confidentiality, integrity, and availability.

WordPress SQLi
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-32058 LOW POC PATCH Monitor

OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness that allows attackers to reuse previously approved system.run execution requests with modified environment variables, bypassing approval-enabled workflow integrity controls. An attacker with access to an approval ID can exploit this vulnerability to execute commands with different environment settings than originally approved, effectively circumventing execution-integrity safeguards. The vulnerability requires local/network access and user interaction, resulting in a low CVSS score of 2.6, but represents a meaningful integrity violation in approval workflows where execution consistency is critical.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
2.6
EPSS
0.0%
CVE-2026-2375 MEDIUM This Month

The App Builder - Create Native Android & iOS Apps On The Flight WordPress plugin up to version 5.5.10 contains a privilege escalation vulnerability in its REST API registration endpoint that allows unauthenticated attackers to register accounts with the wcfm_vendor role, bypassing WCFM Marketplace's vendor approval workflow. The verify_role() function in AuthTrails.php explicitly whitelists the wcfm_vendor role without proper authorization checks, enabling attackers to immediately gain vendor-level privileges including product management, order access, and store management on affected WordPress installations. This vulnerability has a CVSS score of 6.5 with low attack complexity and no authentication requirements, making it a moderate-to-significant risk for WordPress sites using both this plugin and WCFM Marketplace.

Apple Google WordPress PHP Privilege Escalation
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-4004 MEDIUM This Month

The Task Manager plugin for WordPress (all versions up to 3.0.2) contains an arbitrary shortcode execution vulnerability in the AJAX search callback function due to missing capability checks and insufficient input validation. Authenticated attackers with Subscriber-level privileges and above can inject malicious shortcode syntax into search parameters to execute arbitrary shortcodes on the WordPress site, potentially leading to code execution and site compromise. The vulnerability is classified with a CVSS 3.1 score of 6.5 and has been reported by Wordfence security researchers.

Code Injection WordPress RCE
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2351 MEDIUM PATCH This Month

The Task Manager plugin for WordPress contains an arbitrary file read vulnerability in the callback_get_text_from_url() function that allows authenticated attackers with Subscriber-level privileges and above to read sensitive files from the server. This information disclosure vulnerability affects all versions up to and including 3.0.2 of the eoxia Task Manager plugin. The vulnerability has a CVSS score of 6.5 and presents moderate real-world risk due to its low attack complexity and the prevalence of WordPress installations, though exploitation requires valid user credentials.

WordPress Information Disclosure
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-4087 MEDIUM This Month

SQL injection in the Pre* Party Resource Hints WordPress plugin up to version 1.8.20 allows authenticated users with Subscriber-level permissions or higher to execute arbitrary database queries through the unescaped 'hint_ids' parameter in the pprh_update_hints AJAX action. An attacker can exploit this to extract sensitive information from the WordPress database without user interaction. No patch is currently available for this vulnerability.

WordPress SQLi
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2720 MEDIUM This Month

The Hr Press Lite WordPress plugin (versions up to 1.0.2) contains a missing capability check vulnerability in the hrp-fetch-employees AJAX action that allows authenticated attackers with Subscriber-level access to retrieve sensitive employee information including names, email addresses, phone numbers, salary data, employment dates, and employment status. This represents a clear privilege escalation and information disclosure flaw with a CVSS score of 6.5 (Medium severity, high confidentiality impact) affecting all versions of the plugin distributed through the WordPress plugin repository.

Authentication Bypass WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2503 MEDIUM This Month

The ElementCamp plugin for WordPress contains a time-based SQL injection vulnerability in the 'tcg_select2_search_post' AJAX action through improper validation of the 'meta_query[compare]' parameter. Authenticated attackers with Author-level privileges or higher can inject arbitrary SQL operators to extract sensitive database information, as the vulnerable code places user-supplied comparison operators directly into SQL queries without allowlist validation, rendering esc_sql() ineffective for operator-level payloads. The CVSS score of 6.5 reflects moderate severity with high confidentiality impact but no integrity or availability impact, limited to authenticated users with elevated privileges.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-4022 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Show Posts List plugin for WordPress (versions up to 1.1.0) affecting the 'swiftpost-list' shortcode's 'post_type' attribute due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level privileges or higher can inject arbitrary JavaScript code into pages, which executes whenever any user views the compromised page. With a CVSS score of 6.4 and network-accessible attack vector requiring only low privileges, this represents a moderate-priority vulnerability for WordPress installations using this plugin, particularly those with multi-user environments.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-3997 MEDIUM This Month

The Text Toggle WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to 1.1 affecting the 'title' shortcode attribute of the [tt_part] and [tt] shortcodes. Authenticated attackers with Contributor-level privileges or above can inject arbitrary HTML attributes and event handlers by breaking out of the title attribute context, allowing malicious scripts to execute in the browsers of any user viewing affected pages. The vulnerability is classified as medium severity (CVSS 6.4) and requires authentication, but impacts site integrity and visitor security across any WordPress installation using this plugin.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-3996 MEDIUM This Month

The WP Games Embed WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to 0.1beta due to insufficient input sanitization and output escaping of shortcode attributes. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript through shortcode parameters such as 'width', 'height', 'src', 'title', 'description', 'game_url', 'main', and 'thumb', which are directly concatenated into HTML output without escaping. When other users visit pages containing the malicious shortcode, the injected scripts execute in their browsers, potentially allowing session hijacking, credential theft, or malware distribution.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-4084 MEDIUM This Month

The fyyd podcast shortcodes plugin for WordPress contains a Stored Cross-Site Scripting vulnerability affecting all versions up to and including 0.3.1, where shortcode attributes (color, podcast_id, podcast_slug) are improperly concatenated into inline JavaScript without sanitization or escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes for all users viewing affected pages, allowing session hijacking, credential theft, or malware distribution. The CVSS 6.4 score reflects moderate risk with network-accessible attack vector and low complexity, though exploitation requires prior authentication.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3617 MEDIUM This Month

This vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the PayPal Shortcodes WordPress plugin affecting all versions up to and including 0.3. The plugin fails to properly sanitize and escape the 'amount' and 'name' shortcode attributes, allowing authenticated attackers with Contributor-level access or higher to inject malicious JavaScript that executes for all users viewing affected pages. With a CVSS score of 6.4 and network-based attack vector, this represents a moderate-severity threat to WordPress installations using this plugin, particularly those with multiple contributor accounts.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4077 MEDIUM This Month

The Ecover Builder For Dummies WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'id' parameter of the 'ecover' shortcode due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that persists in page content and executes for all users viewing the affected page. With a CVSS score of 6.4 and confirmed by Wordfence, this vulnerability enables privilege escalation and defacement attacks within WordPress environments.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1397 MEDIUM This Month

The PQ Addons - Creative Elementor Widgets plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Section Title widget's html_tag parameter due to insufficient input sanitization and output escaping. All versions up to and including 1.0.0 are affected, allowing authenticated attackers with contributor-level access or above to inject arbitrary JavaScript that executes when users view affected pages. The vulnerability has a CVSS score of 6.4 (Medium) and exploits are possible since the attack requires only low privilege levels and no user interaction beyond page access.

WordPress XSS Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3554 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Sherk Custom Post Type Displays WordPress plugin (versions up to 1.2.1) where the 'title' shortcode attribute is insufficiently sanitized and directly concatenated into HTML output without escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes for all users viewing affected pages. The vulnerability has a CVSS score of 6.4 (Medium) with a local privilege requirement, making it exploitable by lower-privileged authenticated users rather than unauthenticated remote attackers.

WordPress PHP XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4072 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the WordPress PayPal Donation plugin (all versions up to and including 1.01) due to insufficient input sanitization and output escaping in shortcode attribute handling. Authenticated attackers with Contributor-level access or above can inject arbitrary JavaScript code through malicious shortcode attributes that will execute for all users viewing the affected pages. With a CVSS score of 6.4 and confirmed vulnerability details available through Wordfence and WordPress plugin repository source code analysis, this represents a moderate but practical risk to WordPress installations using this plugin.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3619 MEDIUM This Month

The Sheets2Table WordPress plugin versions up to 0.4.1 contain a Stored Cross-Site Scripting (XSS) vulnerability in the [sheets2table-render-table] shortcode's 'titles' attribute, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript that executes for all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the display_table_header() function, where user-supplied shortcode attributes are echoed directly into HTML without proper escaping mechanisms such as esc_html().

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1886 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Go Night Pro WordPress Dark Mode Plugin affecting all versions up to and including 1.1.0, where the 'margin' attribute of the 'go-night-pro-shortcode' shortcode fails to properly sanitize and escape user input. Authenticated attackers with contributor-level access or above can inject arbitrary JavaScript code into pages, which executes when other users access the affected pages. This vulnerability carries a CVSS score of 6.4 (Medium) with network-based attack vector and low complexity, requiring valid WordPress credentials but affecting site-wide script execution with potential impact on user data and site integrity.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4067 MEDIUM This Month

The Ad Short WordPress plugin versions up to 2.0.1 contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'ad' shortcode's 'client' attribute that allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript code into pages. The vulnerability results from insufficient input sanitization and output escaping in the ad_func() shortcode handler, which directly concatenates user-supplied input into HTML attributes without applying proper escaping functions like esc_attr(). When affected pages are visited by other users, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4086 MEDIUM This Month

The WP Random Button WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.0 affecting all installations of this plugin. Authenticated attackers with Contributor-level or higher privileges can inject arbitrary JavaScript code through improperly sanitized shortcode attributes ('cat', 'nocat', and 'text'), which will execute in the browsers of any user viewing the affected pages. With a CVSS score of 6.4 and network-accessible attack vector requiring only low-privileged authenticated access, this vulnerability poses a moderate but realistic risk to WordPress sites using this plugin, particularly those with contributor-level user accounts or where user roles are not carefully managed.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2501 MEDIUM This Month

Ed's Social Share plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the social_share shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. All versions up to and including 2.0 are affected, allowing authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript that executes for all users viewing the compromised page. With a CVSS score of 6.4 and network-accessible attack vector requiring only low privileges, this vulnerability poses a moderate-to-significant risk in multi-author WordPress environments.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1899 MEDIUM This Month

The Any Post Slider WordPress plugin versions up to 1.0.4 contain a Stored Cross-Site Scripting (XSS) vulnerability in the aps_slider shortcode due to insufficient input sanitization and output escaping on the 'post_type' attribute. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that persists in pages and executes for all users who view the injected content. With a CVSS score of 6.4 and attack complexity marked as low, this represents a moderate-severity threat primarily affecting multi-user WordPress installations where contributor access is delegated.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy