Skip to main content
CVE-2026-3997 MEDIUM This Month

The Text Toggle WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to 1.1 affecting the 'title' shortcode attribute of the [tt_part] and [tt] shortcodes. Authenticated attackers with Contributor-level privileges or above can inject arbitrary HTML attributes and event handlers by breaking out of the title attribute context, allowing malicious scripts to execute in the browsers of any user viewing affected pages. The vulnerability is classified as medium severity (CVSS 6.4) and requires authentication, but impacts site integrity and visitor security across any WordPress installation using this plugin.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-3996 MEDIUM This Month

The WP Games Embed WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to 0.1beta due to insufficient input sanitization and output escaping of shortcode attributes. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript through shortcode parameters such as 'width', 'height', 'src', 'title', 'description', 'game_url', 'main', and 'thumb', which are directly concatenated into HTML output without escaping. When other users visit pages containing the malicious shortcode, the injected scripts execute in their browsers, potentially allowing session hijacking, credential theft, or malware distribution.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-4084 MEDIUM This Month

The fyyd podcast shortcodes plugin for WordPress contains a Stored Cross-Site Scripting vulnerability affecting all versions up to and including 0.3.1, where shortcode attributes (color, podcast_id, podcast_slug) are improperly concatenated into inline JavaScript without sanitization or escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes for all users viewing affected pages, allowing session hijacking, credential theft, or malware distribution. The CVSS 6.4 score reflects moderate risk with network-accessible attack vector and low complexity, though exploitation requires prior authentication.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3617 MEDIUM This Month

This vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the PayPal Shortcodes WordPress plugin affecting all versions up to and including 0.3. The plugin fails to properly sanitize and escape the 'amount' and 'name' shortcode attributes, allowing authenticated attackers with Contributor-level access or higher to inject malicious JavaScript that executes for all users viewing affected pages. With a CVSS score of 6.4 and network-based attack vector, this represents a moderate-severity threat to WordPress installations using this plugin, particularly those with multiple contributor accounts.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4077 MEDIUM This Month

The Ecover Builder For Dummies WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'id' parameter of the 'ecover' shortcode due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that persists in page content and executes for all users viewing the affected page. With a CVSS score of 6.4 and confirmed by Wordfence, this vulnerability enables privilege escalation and defacement attacks within WordPress environments.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1397 MEDIUM This Month

The PQ Addons - Creative Elementor Widgets plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Section Title widget's html_tag parameter due to insufficient input sanitization and output escaping. All versions up to and including 1.0.0 are affected, allowing authenticated attackers with contributor-level access or above to inject arbitrary JavaScript that executes when users view affected pages. The vulnerability has a CVSS score of 6.4 (Medium) and exploits are possible since the attack requires only low privilege levels and no user interaction beyond page access.

WordPress XSS Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3554 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Sherk Custom Post Type Displays WordPress plugin (versions up to 1.2.1) where the 'title' shortcode attribute is insufficiently sanitized and directly concatenated into HTML output without escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes for all users viewing affected pages. The vulnerability has a CVSS score of 6.4 (Medium) with a local privilege requirement, making it exploitable by lower-privileged authenticated users rather than unauthenticated remote attackers.

WordPress PHP XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4072 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the WordPress PayPal Donation plugin (all versions up to and including 1.01) due to insufficient input sanitization and output escaping in shortcode attribute handling. Authenticated attackers with Contributor-level access or above can inject arbitrary JavaScript code through malicious shortcode attributes that will execute for all users viewing the affected pages. With a CVSS score of 6.4 and confirmed vulnerability details available through Wordfence and WordPress plugin repository source code analysis, this represents a moderate but practical risk to WordPress installations using this plugin.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3619 MEDIUM This Month

The Sheets2Table WordPress plugin versions up to 0.4.1 contain a Stored Cross-Site Scripting (XSS) vulnerability in the [sheets2table-render-table] shortcode's 'titles' attribute, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript that executes for all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the display_table_header() function, where user-supplied shortcode attributes are echoed directly into HTML without proper escaping mechanisms such as esc_html().

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1886 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Go Night Pro WordPress Dark Mode Plugin affecting all versions up to and including 1.1.0, where the 'margin' attribute of the 'go-night-pro-shortcode' shortcode fails to properly sanitize and escape user input. Authenticated attackers with contributor-level access or above can inject arbitrary JavaScript code into pages, which executes when other users access the affected pages. This vulnerability carries a CVSS score of 6.4 (Medium) with network-based attack vector and low complexity, requiring valid WordPress credentials but affecting site-wide script execution with potential impact on user data and site integrity.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4067 MEDIUM This Month

The Ad Short WordPress plugin versions up to 2.0.1 contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'ad' shortcode's 'client' attribute that allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript code into pages. The vulnerability results from insufficient input sanitization and output escaping in the ad_func() shortcode handler, which directly concatenates user-supplied input into HTML attributes without applying proper escaping functions like esc_attr(). When affected pages are visited by other users, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4086 MEDIUM This Month

The WP Random Button WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 1.0 affecting all installations of this plugin. Authenticated attackers with Contributor-level or higher privileges can inject arbitrary JavaScript code through improperly sanitized shortcode attributes ('cat', 'nocat', and 'text'), which will execute in the browsers of any user viewing the affected pages. With a CVSS score of 6.4 and network-accessible attack vector requiring only low-privileged authenticated access, this vulnerability poses a moderate but realistic risk to WordPress sites using this plugin, particularly those with contributor-level user accounts or where user roles are not carefully managed.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2501 MEDIUM This Month

Ed's Social Share plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the social_share shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. All versions up to and including 2.0 are affected, allowing authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript that executes for all users viewing the compromised page. With a CVSS score of 6.4 and network-accessible attack vector requiring only low privileges, this vulnerability poses a moderate-to-significant risk in multi-author WordPress environments.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1899 MEDIUM This Month

The Any Post Slider WordPress plugin versions up to 1.0.4 contain a Stored Cross-Site Scripting (XSS) vulnerability in the aps_slider shortcode due to insufficient input sanitization and output escaping on the 'post_type' attribute. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that persists in pages and executes for all users who view the injected content. With a CVSS score of 6.4 and attack complexity marked as low, this represents a moderate-severity threat primarily affecting multi-user WordPress installations where contributor access is delegated.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2496 MEDIUM This Month

Ed's Font Awesome plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the eds_font_awesome shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. All versions up to and including 2.0 are affected, allowing authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript that persists in pages and executes for all users viewing those pages. No evidence of active exploitation in the wild (KEV status unknown), but the vulnerability is straightforward to exploit given contributor access and represents a persistent compromise vector.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1093 MEDIUM This Month

The WPFAQBlock plugin for WordPress contains a Stored Cross-Site Scripting vulnerability in the 'class' parameter of the 'wpfaqblock' shortcode, affecting all versions up to and including 1.1. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that persists in pages and executes for all users visiting those pages. With a CVSS score of 6.4 and low attack complexity, this represents a moderate-to-significant risk for WordPress installations using this plugin, particularly on multi-author sites where contributor accounts may be compromised or malicious.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1889 MEDIUM This Month

The Outgrow WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.1, affecting the 'id' attribute of the 'outgrow' shortcode due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access and above can inject arbitrary JavaScript that executes for all users viewing affected pages. With a CVSS score of 6.4 and moderate attack complexity, this vulnerability poses a real threat to WordPress sites using this plugin, as privilege escalation through stored XSS could enable further compromise.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1851 MEDIUM This Month

The iVysilani Shortcode WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'width' shortcode attribute due to insufficient input sanitization and output escaping. All versions up to and including 3.0 are affected, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript that persists in page content and executes for all subsequent site visitors. The vulnerability has been documented by Wordfence with proof-of-concept code available in the WordPress plugin repository, presenting a significant risk to WordPress installations relying on this plugin.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1854 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Post Flagger WordPress plugin for all versions up to and including 1.1, caused by insufficient input sanitization and output escaping in the 'flag' shortcode's user-supplied attributes. Authenticated attackers with contributor-level access or higher can inject arbitrary JavaScript code into pages, which executes for all users who view those pages. This vulnerability has a CVSS score of 6.4 (Medium) and is confirmed in the WordPress plugin repository; no evidence of active exploitation or public proof-of-concept is currently documented, but the straightforward nature of the vulnerability suggests exploitation potential.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1914 MEDIUM This Month

The FuseDesk WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the fusedesk_newcase shortcode that fails to properly sanitize and escape the 'emailtext' attribute. Authenticated attackers with Contributor-level access or higher can inject malicious scripts into WordPress pages that execute for all subsequent visitors. The vulnerability affects all versions up to and including 6.8, with a CVSS score of 6.4 indicating moderate severity; no KEV or active exploitation data is currently documented, but the low attack complexity and network accessibility make this a meaningful concern for multi-user WordPress installations.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1911 MEDIUM This Month

The Twitter Feeds plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'tweet_title' parameter of the TwitterFeeds shortcode due to insufficient input sanitization and output escaping. All versions up to and including 1.0.0 are affected, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript that persists in pages and executes for all users who view the compromised content. With a CVSS score of 6.4 (Medium) and CWE-79 classification, this vulnerability poses a meaningful risk to WordPress sites using this plugin, particularly those with permissive user role assignments.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0609 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Logo Slider WordPress plugin (versions up to 4.9.0) that allows authenticated attackers with author-level privileges to inject malicious scripts through image alt text in the 'logo-slider' shortcode. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent script execution whenever users access pages containing the injected content. With a CVSS score of 6.4 and moderate real-world exploitability, this represents a credible threat to WordPress sites with multiple trusted authors.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1575 MEDIUM This Month

The Schema Shortcode plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the `itemscope` shortcode that allows authenticated attackers with contributor-level access or higher to inject arbitrary malicious scripts into pages. These injected scripts execute whenever any user accesses the affected page, potentially compromising visitor sessions and data. With a CVSS score of 6.4 and confirmed vulnerability through Wordfence intelligence, this represents a meaningful risk to WordPress sites using this plugin, though exploitation requires authenticated access rather than unauthenticated exploitation.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1275 MEDIUM This Month

The Multi Post Carousel by Category WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'slides' shortcode attribute due to insufficient input sanitization and output escaping in the post_slides_shortcode function. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript code into pages, and the malicious script will execute whenever any user visits the affected page. With a CVSS score of 6.4 and confirmed vulnerability across all versions up to and including 1.4, this represents a moderate-risk vulnerability primarily affecting WordPress sites using this plugin.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1908 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Integration with Hubspot Forms WordPress plugin (all versions up to 1.2.2) due to insufficient input sanitization and output escaping on shortcode attributes. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript into pages via the 'hubspotform' shortcode, which executes whenever users access the compromised page. While no public exploit-in-the-wild activity has been reported, the vulnerability is straightforward to exploit and poses a moderate risk given the low privilege requirement and broad attack surface in WordPress environments.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3333 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the MinhNhut Link Gateway WordPress plugin versions up to and including 3.6.1, where the 'linkgate' shortcode fails to properly sanitize and escape user-supplied attributes. Authenticated attackers with Contributor-level access or higher can inject malicious JavaScript that persists in pages and executes for all users who view those pages. The vulnerability has a CVSS 3.1 score of 6.4 with a network attack vector and low complexity, indicating practical exploitability by lower-privileged authenticated users.

WordPress XSS
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1806 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Tour & Activity Operator Plugin for TourCMS (all versions up to 1.7.0) affecting WordPress installations. The vulnerability resides in the 'target' parameter of the tourcms_doc_link shortcode, where insufficient input sanitization and output escaping allows authenticated attackers with Contributor-level privileges and above to inject arbitrary JavaScript code that executes in the browsers of users visiting affected pages. With a CVSS score of 6.4 and network-based attack vector requiring only low privileges, this represents a moderate but exploitable risk to WordPress sites using this plugin.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1891 MEDIUM This Month

The Simple Football Scoreboard plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'ytmr_fb_scoreboard' shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. All versions up to and including 1.0 are affected, allowing authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript that executes for all users viewing the compromised page. With a CVSS score of 6.4 and network-based attack vector requiring only low privileges, this represents a moderate but exploitable threat to WordPress sites using this plugin.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1822 MEDIUM This Month

The WP NG Weather plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'ng-weather' shortcode due to insufficient input sanitization and output escaping of user-supplied attributes. All versions up to and including 1.0.9 are affected, allowing authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript that executes when users visit pages containing the malicious shortcode. With a CVSS score of 6.4 and network-accessible attack vector, this vulnerability poses a moderate risk to WordPress installations using this plugin.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2277 MEDIUM PATCH This Month

The rexCrawler WordPress plugin contains a Reflected Cross-Site Scripting (XSS) vulnerability in the search-pattern tester page that allows unauthenticated attackers to inject arbitrary web scripts via inadequately sanitized 'url' and 'regex' parameters. Affected versions are up to and including 1.0.15 (CPE: cpe:2.3:a:larsdrasmussen:rexcrawler:*:*:*:*:*:*:*:*), with exploitation requiring social engineering to trick administrators into clicking a malicious link. This vulnerability is limited to WordPress multisite installations or sites where the unfiltered_html capability has been disabled, and carries a CVSS v3.1 score of 6.1 with an AV:N/AC:L/PR:N/UI:R/S:C profile indicating network-based exploitation with user interaction required.

WordPress XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1647 MEDIUM This Month

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the Comment Genius WordPress plugin versions up to 1.2.5, where the PHP_SELF server variable is insufficiently sanitized and escaped in output, allowing unauthenticated attackers to inject arbitrary JavaScript code. Affected users are WordPress site administrators and visitors who can be tricked into clicking malicious links. The vulnerability has a CVSS score of 6.1 (Medium) with network accessibility and low complexity, though it requires user interaction to execute.

WordPress XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-13910 MEDIUM This Month

The WP-WebAuthn WordPress plugin contains an unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in the wwa_auth AJAX endpoint that allows attackers to inject arbitrary JavaScript into the plugin's log page. Affected are all versions up to and including 1.3.4 of the plugin (identified via CPE cpe:2.3:a:axton:wp-webauthn:*:*:*:*:*:*:*:*), which is exploitable only when logging is enabled in plugin settings. The vulnerability stems from insufficient input sanitization and output escaping of user-supplied attributes, enabling persistent XSS execution whenever administrators or authorized users access the logging interface.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-2427 MEDIUM This Month

The itsukaita WordPress plugin contains a Reflected Cross-Site Scripting (XSS) vulnerability in the 'day_from' and 'day_to' parameters due to insufficient input sanitization and output escaping. All versions up to and including 0.1.2 are affected, allowing unauthenticated attackers to inject arbitrary web scripts that execute in administrator browsers if they click a malicious link. With a CVSS score of 6.1 (Medium) and a requirement for user interaction (UI:R), this vulnerability poses a moderate but real threat to WordPress installations using this plugin.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-4069 MEDIUM This Month

The Alfie - Feed Plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'naam' parameter of the alfie_option_page() function, affecting all versions up to and including 1.2.1. The vulnerability stems from missing nonce validation combined with insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject malicious scripts that persist in the plugin's database and execute when users view affected pages. An attacker must successfully social engineer a site administrator into clicking a malicious link, but once exploited, the payload executes with the privileges of any user accessing the compromised page, making this a moderate-risk vulnerability with a CVSS score of 6.1.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-2723 MEDIUM This Month

The Post Snippits WordPress plugin for all versions up to and including 1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation on settings page handlers that manage snippet creation, modification, and deletion. Unauthenticated attackers can exploit this by crafting malicious requests that, when clicked by an administrator, allow injection of arbitrary scripts and modification of plugin settings, potentially leading to site compromise. The vulnerability has a CVSS score of 6.1 with a network attack vector requiring user interaction.

WordPress CSRF
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2024-13785 MEDIUM This Month

The The Contact Form, Survey, Quiz & Popup Form Builder - ARForms plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.2. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE WordPress Code Injection
NVD
CVSS 3.1
5.6
EPSS
0.1%
CVE-2026-3347 MEDIUM This Month

A Stored Cross-Site Scripting vulnerability exists in the Multi Functional Flexi Lightbox WordPress plugin (versions up to and including 1.2) that allows authenticated administrators to inject arbitrary JavaScript code via the arv_lb[message] parameter. The vulnerability stems from insufficient input sanitization in the arv_lb_options_val() callback function and missing output escaping in the genLB() function, enabling malicious scripts to execute in the browsers of any user viewing pages or posts with the lightbox enabled. With a CVSS score of 5.5 and requiring high-privilege administrator access, this represents a moderate but real risk primarily applicable to compromised or malicious admin accounts.

WordPress XSS
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-3335 MEDIUM This Month

The Canto plugin for WordPress (versions up to 3.1.1) contains a critical missing authorization vulnerability in the copy-media.php file and related endpoints that allows unauthenticated attackers to upload arbitrary files to the WordPress uploads directory. The vulnerability stems from multiple PHP files being directly accessible without authentication, nonce validation, or authorization checks, while also accepting attacker-controlled parameters for API endpoints and domain configuration. An attacker can exploit this to upload malicious files (within WordPress MIME type constraints) or redirect legitimate file operations to attacker-controlled infrastructure, potentially leading to remote code execution or site compromise.

WordPress PHP Authentication Bypass
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-3570 MEDIUM This Month

The Smarter Analytics WordPress plugin (all versions up to 2.0) contains an authentication bypass vulnerability that allows unauthenticated attackers to reset plugin configuration and delete all analytics settings via the 'reset' parameter in the global scope of smarter-analytics.php. This is a missing authentication and capability check vulnerability (CWE-862) with a CVSS score of 5.3, classified as moderate severity with low attack complexity and no authentication required. The vulnerability is publicly documented via Wordfence threat intelligence with direct references to the vulnerable code in the WordPress plugin repository, though no active exploitation in the wild or public proof-of-concept has been widely reported.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-3641 MEDIUM This Month

The Appmax WordPress plugin versions up to 1.0.3 contain an improper input validation vulnerability in its public REST API webhook endpoint at /webhook-system that fails to authenticate, verify signatures, or validate the authenticity of incoming webhook requests. Unauthenticated attackers can exploit this by crafting malicious webhook payloads to modify existing WooCommerce order statuses, create arbitrary new orders and products with attacker-controlled data, and inject arbitrary metadata into orders. With a CVSS score of 5.3 (medium severity), an CVSS vector indicating network accessibility with low attack complexity and no authentication required, and confirmed vulnerability references in the official WordPress plugin repository, this vulnerability poses a significant integrity risk to e-commerce sites using the affected plugin.

Information Disclosure WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-3651 MEDIUM This Month

The Build App Online WordPress plugin contains an authentication bypass vulnerability in the 'build-app-online-update-vendor-product' AJAX action that allows unauthenticated attackers to modify post metadata without authorization. Affected versions are up to and including 1.0.23 as confirmed via CPE (cpe:2.3:a:hakeemnala:build_app_online). Attackers can orphan posts by setting the post_author field to 0 or, if authenticated, claim ownership of arbitrary posts by reassigning authorship, resulting in unauthorized content modification with medium integrity impact (CVSS 5.3).

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-3506 MEDIUM This Month

The WP-Chatbot for Messenger WordPress plugin versions up to 4.9 contains an authorization bypass vulnerability that allows unauthenticated attackers to overwrite critical chatbot configuration options, specifically the MobileMonkey API token and company ID. This enables attackers to hijack the site's chatbot functionality and redirect visitor conversations to attacker-controlled accounts without requiring any authentication or user interaction. The vulnerability has a CVSS score of 5.3 with a network attack vector and no privilege requirements, making it readily exploitable by any remote attacker.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-3645 MEDIUM This Month

The Punnel - Landing Page Builder WordPress plugin contains a critical missing authorization vulnerability in the save_config() AJAX function that allows authenticated attackers with Subscriber-level privileges to overwrite the plugin's configuration and API key without proper capability checks or nonce verification. Combined with an insecure public API endpoint (sniff_requests()) that only validates requests via token comparison, attackers can subsequently create, update, or delete arbitrary posts, pages, and products on affected WordPress installations. The vulnerability affects all versions up to and including 1.3.1 and has been documented by Wordfence with publicly available code references.

Authentication Bypass WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3460 MEDIUM This Month

The REST API TO MiniProgram plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated attackers with Subscriber-level access to modify arbitrary users' WeChat shop metadata by exploiting a permission validation flaw. The vulnerability affects all versions up to and including 5.1.2, where the permission callback validates one parameter (openid) but the actual modification function uses a different attacker-controlled parameter (userid) without cross-validation. Attackers can exploit this via the REST API to alter storeinfo, storeappid, and storename fields for any user account, potentially disrupting store operations or impersonating legitimate shop owners.

Information Disclosure WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3546 MEDIUM This Month

The e-shot form builder plugin for WordPress contains a sensitive information exposure vulnerability in the eshot_form_builder_get_account_data() AJAX handler that is accessible to any authenticated user without capability checks or nonce verification. An attacker with Subscriber-level access or higher can extract the e-shot API token and subaccount information by calling this AJAX endpoint, potentially compromising the victim's e-shot platform account. The vulnerability affects all versions up to and including 1.0.2, and while this CVE does not appear in the KEV catalog or have public proof-of-concept code readily available, the CVSS score of 5.3 reflects moderate risk due to the low attack complexity and lack of user interaction required.

WordPress Information Disclosure
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4161 MEDIUM This Month

The Review Map by RevuKangaroo WordPress plugin contains a Stored Cross-Site Scripting (XSS) vulnerability in its plugin settings that allows authenticated administrators to inject arbitrary JavaScript code through insufficient input sanitization and output escaping. This vulnerability affects all versions up to and including 1.7 and only manifests in WordPress multisite installations or single-site installations where the unfiltered_html capability has been disabled. Once injected, the malicious script executes whenever any user accesses the affected page, making this a persistent XSS attack vector that can compromise user sessions and sensitive data.

WordPress XSS
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2121 MEDIUM This Month

The Weaver Show Posts plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'add_class' parameter due to insufficient input sanitization and output escaping. Authenticated attackers with Administrator-level access can inject arbitrary web scripts that execute when users access injected pages, with particular impact in multisite installations where Administrators lack the unfiltered_html capability. A proof-of-concept demonstration exists, though the CVSS 4.4 score reflects the high privilege requirement needed for exploitation.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2424 MEDIUM This Month

The Reward Video Ad for WordPress plugin (all versions up to 1.6) contains a Stored Cross-Site Scripting (XSS) vulnerability in its admin settings due to insufficient input sanitization and output escaping on fields including Account ID, Message before the video, and color parameters. This allows authenticated administrators to inject arbitrary JavaScript that executes whenever any user accesses an affected page, potentially compromising site visitors. The vulnerability requires Administrator-level access to exploit, limiting the attack surface to high-privilege accounts, though once injected, the malicious scripts execute with no further user interaction required.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-3354 MEDIUM This Month

The Wikilookup plugin for WordPress versions up to 1.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'Popup Width' setting due to insufficient input sanitization and output escaping. Authenticated attackers with Administrator-level access can inject arbitrary JavaScript that executes for all users viewing affected pages, but only in multi-site installations or where the unfiltered_html capability has been disabled. With a CVSS score of 4.4 and high attack complexity requirements, this represents a low-to-moderate real-world threat that requires both administrative access and specific WordPress configurations to exploit.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-3353 MEDIUM This Month

The Comment SPAM Wiper plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the 'API Key' setting that allows authenticated administrators to inject arbitrary JavaScript code. This vulnerability affects multi-site WordPress installations and those with the unfiltered_html capability disabled, impacting versions up to and including 1.2.1. While the CVSS score of 4.4 is moderate and exploitation requires high-privilege access (Administrator level), the stored nature of the XSS means injected scripts execute for all users accessing affected pages, creating persistent exposure.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy