Skip to main content
CVE-2026-1278 MEDIUM This Month

The Mandatory Field plugin for WordPress versions up to 1.6.8 contains a Stored Cross-Site Scripting (XSS) vulnerability in its admin settings due to insufficient input sanitization and output escaping. Authenticated administrators can inject arbitrary JavaScript that executes for all users accessing affected pages, but exploitation is limited to multi-site WordPress installations or those with unfiltered_html disabled. With a CVSS score of 4.4 and high attack complexity, this represents a moderate-severity privilege escalation risk for WordPress administrators seeking to inject malicious scripts; no public POC or active exploitation has been indicated in KEV data.

WordPress XSS
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1247 MEDIUM This Month

The Survey plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in administrative settings due to insufficient input sanitization and output escaping, affecting all versions up to and including 1.1. Authenticated attackers with administrator-level permissions can inject arbitrary JavaScript code that executes when users access affected pages, though this is restricted to multi-site installations or those with unfiltered_html disabled. With a CVSS score of 4.4 and high attack complexity requiring administrator privileges, the real-world risk is moderate; no public exploit code or KEV status has been indicated, making this a lower-priority remediation compared to critical vulnerabilities.

WordPress XSS
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2837 MEDIUM This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Ricerca - advanced search WordPress plugin affecting all versions up to and including 1.1.12, caused by insufficient input sanitization and output escaping in the plugin's settings interface. Only authenticated administrators on multi-site WordPress installations or those with unfiltered_html disabled are able to inject malicious scripts that execute for all users viewing affected pages. The CVSS score of 4.4 reflects the requirement for high-privilege administrative access and specific configuration conditions, though the impact remains meaningful given the scope of affected multi-site deployments.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1253 MEDIUM This Month

The Group Chat & Video Chat by AtomChat WordPress plugin (versions up to 1.1.7) contains a missing capability check vulnerability in the 'atomchat_update_auth_ajax' and 'atomchat_update_layout_ajax' AJAX handlers, allowing authenticated Subscriber-level users and above to arbitrarily modify plugin options including API keys and authentication credentials. With a CVSS score of 5.3 and network-based attack vector requiring only authentication (not admin privileges), this represents a medium-severity privilege escalation and configuration tampering issue affecting WordPress installations using this plugin. No evidence of active exploitation in the wild has been documented at this time, though the straightforward nature of the vulnerability (missing capability checks) suggests proof-of-concept code could be easily developed.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4127 MEDIUM This Month

The Speedup Optimization plugin for WordPress contains a missing authorization vulnerability in the `speedup01_ajax_enabled()` AJAX handler that fails to verify user capabilities or nonce tokens, allowing authenticated attackers with Subscriber-level privileges to enable or disable the site's optimization module. Affected versions include all releases up to and including 1.5.9, as documented by Wordfence. While the CVSS score of 5.3 is moderate, the vulnerability represents a clear authorization bypass that could allow low-privileged attackers to degrade site performance or disable security-relevant optimization features.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2294 MEDIUM This Month

UiPress lite plugin for WordPress through version 3.5.09 fails to validate user permissions on the global settings modification function, allowing authenticated subscribers and higher-privileged users to arbitrarily alter plugin configurations. This insufficient access control enables attackers to modify sensitive settings despite lacking administrative rights. A patch is not currently available.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1935 MEDIUM This Month

The Company Posts for LinkedIn WordPress plugin (versions up to 1.0.0) contains a missing authorization vulnerability in the linkedin_company_post_reset_handler() function that allows authenticated attackers with Subscriber-level privileges to delete LinkedIn post data from the site's options table without proper capability checks. This is a privilege escalation flaw where low-privileged users can perform administrative actions. While the CVSS score is moderate at 4.3 and reflects limited integrity impact without confidentiality or availability concerns, the vulnerability enables unauthorized modification of site configuration data by any authenticated user.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4143 MEDIUM This Month

The Neos Connector for Fakturama WordPress plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation in the ncff_add_plugin_page() function, allowing unauthenticated attackers to modify plugin settings. Affected versions include all releases up to and including 0.0.14. An attacker can exploit this by tricking a site administrator into clicking a malicious link or visiting a crafted webpage, resulting in unauthorized modification of plugin configuration without the administrator's knowledge or consent.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1503 MEDIUM This Month

The login_register plugin for WordPress versions up to 1.2.0 contains a combined Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) vulnerability due to missing nonce validation and insufficient input sanitization on the settings page. Unauthenticated attackers can craft malicious links to trick administrators into injecting arbitrary JavaScript that persists and executes for all users accessing affected pages. While the CVSS score is moderate at 4.3, the vulnerability requires user interaction (administrator click) but enables persistent script injection with potential for credential theft or further compromise.

WordPress XSS CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3331 MEDIUM PATCH This Month

The Lobot Slider Administrator WordPress plugin (versions up to 0.6.0) contains a Cross-Site Request Forgery (CSRF) vulnerability in the fourty_slider_options_page function due to missing or incorrect nonce validation. This allows unauthenticated attackers to modify plugin slider-page configuration by tricking site administrators into clicking malicious links, potentially altering slider settings and website presentation. The vulnerability carries a moderate CVSS score of 4.3 with low attack complexity, requiring only user interaction and no privileges.

WordPress CSRF
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1392 MEDIUM This Month

The SR WP Minify HTML plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation in the sr_minify_html_theme() function, affecting all versions up to and including 2.1. An unauthenticated attacker can exploit this vulnerability to modify plugin settings by tricking a site administrator into clicking a malicious link, potentially allowing unauthorized changes to site minification configuration. While the CVSS score of 4.3 is moderate and no KEV status or active exploitation has been confirmed, the vulnerability remains exploitable against WordPress installations with this plugin active.

WordPress CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3332 MEDIUM This Month

The Xhanch - My Advanced Settings WordPress plugin (versions up to 1.1.2) contains a Cross-Site Request Forgery vulnerability in its settings update handler due to missing nonce validation, allowing unauthenticated attackers to modify plugin settings if they can trick an administrator into clicking a malicious link. The vulnerability is particularly dangerous because unescaped output of the `favicon_url` and `ga_acc_id` settings enables a CSRF-to-Stored XSS chain, where injected payloads persist and affect all site visitors. While no active exploitation in the wild has been confirmed in public records and the CVSS score of 4.3 is relatively low, the attack requires only user interaction and results in stored cross-site scripting on the front-end.

Google WordPress CSRF XSS
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1390 MEDIUM This Month

The Redirect Countdown WordPress plugin for all versions up to and including 1.0 contains a Cross-Site Request Forgery vulnerability in the countdown_settings_content() function due to missing nonce validation. An unauthenticated attacker can trick a site administrator into clicking a malicious link to modify critical plugin settings including countdown timeout, redirect URL, and custom text. With a CVSS score of 4.3 and network-accessible attack vector, this vulnerability has moderate real-world impact despite low baseline severity, as it directly affects site functionality and user experience.

WordPress CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1378 MEDIUM This Month

The WP Posts Re-order WordPress plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 1.0 due to missing nonce validation in the cpt_plugin_options() function. An unauthenticated attacker can exploit this to modify critical plugin settings including capability, autosort, and adminsort configurations by tricking a site administrator into clicking a malicious link. The vulnerability has a CVSS score of 4.3 (medium severity) with low attack complexity and requires user interaction, and while no public exploit code has been reported, the straightforward nature of CSRF attacks means proof-of-concept development is trivial.

WordPress CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1393 MEDIUM This Month

The Add Google Social Profiles to Knowledge Graph Box WordPress plugin (all versions up to 1.0) contains a Cross-Site Request Forgery (CSRF) vulnerability due to missing nonce validation on its settings update functionality. An unauthenticated attacker can forge malicious requests to modify the plugin's Knowledge Graph settings if they can trick a site administrator into clicking a malicious link. While the CVSS score of 4.3 is moderate, the attack requires user interaction and has no confidentiality impact, making it a lower-severity real-world threat despite being easily exploitable.

Google WordPress CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy