Unauthenticated availability-impacting broken access control affects the ThemeGrill User Registration WordPress plugin versions 5.1.2 and earlier, allowing remote attackers to invoke privileged actions without credentials. The CVSS 7.5 score (AV:N/AC:L/PR:N/UI:N) reflects pure availability impact (A:H) with no confidentiality or integrity loss, and no public exploit identified at time of analysis. The flaw is classified as CWE-862 Missing Authorization and tracked by Patchstack and ENISA EUVD-2026-36911.
Sensitive information disclosure in the GetPaid WordPress plugin (also known as Invoicing, by Stiofan) through version 2.8.49 allows remote unauthenticated attackers to retrieve embedded sensitive data via responses sent by the plugin. The flaw is classified as CWE-201 and was reported by Patchstack; no public exploit identified at time of analysis, but the network-reachable, no-auth, no-interaction CVSS profile makes opportunistic discovery plausible on exposed WordPress sites.
Sensitive data exposure in the Chatway Live Chat WordPress plugin (versions <= 1.4.8) allows authenticated subscriber-level users to access information they should not have visibility into. The flaw, reported by Patchstack and tracked as CWE-201 (Insertion of Sensitive Information Into Sent Data), has a CVSS 3.1 score of 7.4 with scope change. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Broken access control in the Royal MCP WordPress plugin (versions 1.4.2 and earlier) allows remote attackers to invoke protected functionality without proper authorization checks. The flaw, classified as CWE-862 (Missing Authorization), was reported by Patchstack and tracked as EUVD-2026-36984. No public exploit identified at time of analysis, and the CVSS 7.3 score reflects low-complexity network exploitation with partial impact across confidentiality, integrity, and availability.
Privilege escalation in the AI Engine WordPress plugin (Meow Apps) through version 3.4.9 allows authenticated users with Editor-level access to elevate their privileges to Administrator. CVSS rates this 7.2 (High) given high privileges required but full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.
Unauthenticated privilege escalation in the Listdom WordPress plugin versions 5.5.0 and earlier allows remote attackers to elevate privileges without any authentication or user interaction. The flaw is tracked under CWE-266 (Incorrect Privilege Assignment) and was reported by Patchstack; no public exploit identified at time of analysis. Affected sites running this Webilia-developed directory listing plugin face risk of unauthorized account or capability elevation through exposed plugin endpoints.
PHP Object Injection in the Advanced Product Fields (Product Addons) for WooCommerce plugin versions 1.6.19 and below allows authenticated users with Shop Manager privileges to deserialize attacker-controlled data, potentially leading to remote code execution or full site compromise depending on available PHP gadget chains. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36946; no public exploit identified at time of analysis and the issue is not in CISA KEV.
PHP Object Injection in the Modula Image Gallery WordPress plugin (versions ≤ 2.14.18) allows authenticated authors to trigger unsafe deserialization of attacker-controlled input, potentially leading to remote code execution, data tampering, or denial of service depending on available POP gadget chains in the WordPress environment. The flaw was disclosed by Patchstack and tracked as ENISA EUVD-2026-36940; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
PHP Object Injection in the WooCommerce PDF Invoices & Packing Slips WordPress plugin before version 5.9.0 allows authenticated users with Shop Manager privileges to trigger unsafe deserialization, potentially leading to full compromise of confidentiality, integrity, and availability. The flaw was reported by Patchstack and a vendor patch is available, though no public exploit has been identified at time of analysis. The CVSS 7.2 score reflects high privilege requirements offset by network reach and severe impact.
PHP Object Injection in the CTX Feed (WebAppick Product Feed for WooCommerce) WordPress plugin versions up to and including 6.6.26 allows authenticated users with Shop Manager privileges to trigger unsafe deserialization, leading to full compromise of confidentiality, integrity, and availability on the host site. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36924; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Privilege escalation in the WooCommerce Cart Abandonment Recovery WordPress plugin before version 2.1.0 allows an authenticated shop manager to elevate privileges beyond their intended role on affected WordPress sites. The flaw, tracked as CWE-266 (Incorrect Privilege Assignment), carries a CVSS 7.2 (High) score and has a vendor-released patch in 2.1.0, with no public exploit identified at time of analysis.
PHP Object Injection in the YayMail WordPress plugin (versions ≤ 4.3.3) allows authenticated users with Shop Manager privileges to inject crafted serialized PHP objects and trigger deserialization on the server. Successful exploitation can lead to high-impact compromise of confidentiality, integrity, and availability of the WordPress site, though no public exploit identified at time of analysis. The flaw is reported by Patchstack and tracked as EUVD-2026-36945.
Unauthenticated stored/reflected cross-site scripting in the AutomatorWP WordPress plugin (versions <= 5.6.7) allows remote attackers to inject malicious JavaScript that executes in the context of victim browsers, including site administrators. No public exploit identified at time of analysis, but the CVSS scope-change rating (7.2 High) reflects the cross-origin impact typical of XSS where attacker-supplied script crosses a trust boundary into the WordPress admin session. Patchstack reported the issue and tracks it in their WordPress vulnerability database.
Authenticated PHP Object Injection in the ShortPixel Image Optimizer WordPress plugin (versions 6.4.3 and earlier) allows attackers with Author-level privileges to trigger unsafe deserialization of attacker-controlled data, enabling code execution or other impacts when a suitable PHP gadget chain is present. Reported by Patchstack with no public exploit identified at time of analysis, the flaw is tracked as CWE-502 and carries a CVSS 3.1 score of 7.2 due to the high-privilege prerequisite but full CIA impact.
Out-of-bounds read in GStreamer's VMnc decoder allows remote attackers to crash the application or disclose memory contents when a victim opens a maliciously crafted VMnc video file. The flaw stems from a signed integer overflow in payload-size arithmetic that bypasses a length check when cursor dimensions are abnormally large. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Reflected or stored cross-site scripting in the Post SMTP WordPress plugin (versions 3.6.2 and earlier) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after user interaction. The CVSS 7.1 score with scope change reflects potential session theft or administrative action hijacking against WordPress sites running the plugin. No public exploit identified at time of analysis, and the issue is tracked by Patchstack but not listed in CISA KEV.
Insecure direct object reference in the EventPrime WordPress plugin (versions up to and including 4.3.0.0) allows authenticated users holding only the low-privilege Subscriber role to access or manipulate event records belonging to other users by tampering with object identifiers. The flaw was disclosed by Patchstack and carries CVSS 7.1 reflecting high confidentiality impact with limited integrity impact, but no public exploit identified at time of analysis and no CISA KEV listing. Because WordPress sites frequently allow open subscriber registration, the low PR:L barrier is practically trivial to clear on affected installations.
Out-of-bounds read in the VA JPEG decoder shipped in GStreamer's gst-plugins-bad allows a remote attacker to crash the decoder or potentially leak adjacent memory contents when a victim opens a maliciously crafted JPEG file. The flaw stems from the JPEG parser trusting a segment-length value from the bitstream without verifying it fits within the buffer, and affects Red Hat Enterprise Linux 6 through 10 where the plugin is consumed. There is no public exploit identified at time of analysis and the issue is not in CISA KEV.
Reflected or stored Cross-Site Scripting in the MW WP Form WordPress plugin (versions <= 5.1.3) allows remote unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with crafted plugin content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) indicates network-reachable exploitation with no privileges but requiring user interaction, and the scope change reflects the cross-origin impact typical of XSS in browser contexts. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated reflected/stored cross-site scripting in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.10.6) allows remote attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. Successful exploitation can lead to session hijacking, credential theft, or administrative actions performed in the context of the targeted user. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Reflected/stored cross-site scripting in the ManageWP Worker WordPress plugin (versions ≤ 4.9.31) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser after user interaction, potentially hijacking WordPress administrator sessions. The CVSS scope change (S:C) indicates the XSS payload crosses a trust boundary, affecting components beyond the vulnerable plugin itself. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.
Out-of-bounds read in the GStreamer RealMedia demuxer (gst-plugins-ugly) allows a maliciously crafted .rm file to crash the consuming application and potentially leak small amounts of adjacent heap memory through stream metadata. The flaw affects Red Hat Enterprise Linux 7, 8, 9, and 10 systems shipping the vulnerable demuxer, and exploitation requires a user to open or otherwise process the file (UI:R). There is no public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Reflected cross-site scripting in the Okay Toolkit WordPress plugin (versions ≤2.3) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 with a scope-changed impact, but no public exploit identified at time of analysis and EPSS data was not provided. Successful exploitation can lead to session hijacking, credential theft, or administrative actions against the targeted WordPress site.
Out-of-bounds read and denial-of-service in GStreamer's RealMedia demuxer (gst-plugins-ugly) allows remote attackers to crash, hang, or potentially leak limited adjacent memory when a victim opens a maliciously crafted RealMedia (.rm) file. The flaw stems from unvalidated offsets in re_skip_pascal_string() and an attacker-controlled loop counter in the FILEINFO metadata parser. No public exploit identified at time of analysis, and the CVE is not on the CISA KEV list.
Reflected/stored cross-site scripting in the WordPress plugin Stop Spammers (versions 2026.3 and earlier) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser when they interact with crafted content. The flaw carries a CVSS 3.1 base score of 7.1 due to scope change (S:C), and no public exploit identified at time of analysis, though Patchstack has catalogued the issue in its WordPress vulnerability database.
Unauthenticated reflected/stored cross-site scripting in the Quiz And Survey Master WordPress plugin (versions through 11.1.2) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. Exploitation is reflected in the CVSS 7.1 (High) score with a scope change, meaning injected script can impact resources beyond the vulnerable component. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Unauthenticated reflected/stored cross-site scripting in the Coupon Affiliates WordPress plugin (versions up to and including 7.5.3) allows remote attackers to inject malicious script that executes in a victim's browser after user interaction. The CVSS 3.1 score of 7.1 with scope change (S:C) indicates impact beyond the vulnerable component, typical of XSS reaching the WordPress admin or affiliate context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Reflected/stored cross-site scripting in the Notification for Telegram WordPress plugin (versions <= 3.5) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser when they visit a crafted link or page. Patchstack attributes the issue to insufficient input sanitization in the plugin developed by rainafarai, and no public exploit code has been identified at time of analysis. The flaw carries CVSS 7.1 due to the scope change (S:C), reflecting that injected script runs in the WordPress admin or user context beyond the vulnerable component.
Unauthenticated reflected/stored cross-site scripting in the Social Slider Feed WordPress plugin (versions ≤ 2.3.2, developed by ThemeIsle) allows remote attackers to inject malicious JavaScript that executes in a victim's browser after user interaction. The flaw was reported by Patchstack and tracked as EUVD-2026-36949; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Because exploitation crosses a privilege boundary (S:C) and requires only a user clicking a crafted link, it is a realistic phishing/account-takeover vector against WordPress sites running the plugin.
Unauthenticated reflected/stored cross-site scripting in the WordPress plugin Contact Form to Any API through version 3.0.3 allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. The flaw requires user interaction (UI:R) and changes scope (S:C), meaning injected script can affect resources beyond the vulnerable component, typically the WordPress admin session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stored/reflected cross-site scripting in the CformsII WordPress plugin (versions ≤ 15.1.3) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser when the crafted content is rendered, enabling session hijacking, credential theft, or actions on behalf of authenticated users including administrators. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 (UI:R, scope-changed). No public exploit identified at time of analysis and EPSS data was not provided.
Reflected cross-site scripting in Eli's WordCents adSense Widget with Analytics WordPress plugin (versions <= 1.3.03.27) allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the user is lured into clicking a crafted link. The flaw stems from improper neutralization of user-supplied input (CWE-79), and while no public exploit identified at time of analysis, the scope-changing CVSS vector indicates potential for session hijacking or administrative account takeover if a logged-in WordPress admin is targeted.
Protection mechanism failure in Qihoo 360 Total Security 6.0 allows a locally authenticated attacker to bypass the Nucleus Engine Monitoring Logic by manipulating the NetworkAddr argument to the RpcStringBindingComposeW function. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure, leaving users on 6.0 without an official remediation path. EPSS data is not provided and the issue is not in CISA KEV, but the public PoC raises the practical risk for endpoints running this version.
Local privilege escalation in DVDFab Virtual Drive 2.0.0.5 allows authenticated local users to abuse improper privilege management in the signed kernel driver dvdfabio.sys to gain elevated execution within the Windows kernel. Publicly available exploit code exists and the vendor did not respond to coordinated disclosure, increasing the window of risk for affected endpoints. No CISA KEV listing has been recorded, and EPSS data was not provided in the input.
Cross-site scripting in the SEO Redirection WordPress plugin (versions <= 9.17) allows remote unauthenticated attackers to inject malicious scripts that execute in a victim's browser after user interaction such as clicking a crafted link. The flaw has a CVSS 3.1 score of 7.1 with scope-changed impact, indicating injected scripts can affect resources beyond the vulnerable component. There is no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Unauthenticated reflected/stored cross-site scripting in the WordPress plugin Drag and Drop Multiple File Upload - Contact Form 7 versions 1.3.9.7 and earlier allows remote attackers to inject script that executes in a victim's browser after user interaction, leading to session theft, account takeover, or pivoting against authenticated administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. CVSS 3.1 base score is 7.1 with a changed scope reflecting impact across the WordPress admin trust boundary.
Unauthenticated stored/reflected cross-site scripting in the Funnel Builder by FunnelKit WordPress plugin (versions <= 3.15.0.2) allows remote attackers to inject malicious scripts that execute in a victim's browser when they visit a crafted page or link. The CVSS 3.1 score of 7.1 reflects a scope-changing impact with low confidentiality, integrity, and availability impact and required user interaction. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated reflected/stored cross-site scripting in the HollerBox WordPress plugin (versions 2.3.10.1 and earlier) allows remote attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 due to the scope change (S:C) reflecting the WordPress site context being affected from injected content; no public exploit identified at time of analysis and no CISA KEV listing exists.
Reflected/stored cross-site scripting in the Product Filter Widget for Elementor WordPress plugin (versions <= 1.0.6) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after user interaction. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 with scope change due to script execution in the browser context; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Reflected/stored Cross-Site Scripting in the WordPress plugin AutomatorWP versions 5.7.2 and earlier allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they visit a crafted link or page. The CVSS 3.1 score of 7.1 reflects a scope change (S:C), meaning script execution affects components beyond the vulnerable one - typically authenticated WordPress administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stored or reflected cross-site scripting in the EventPrime WordPress plugin (versions <= 4.3.2.1) allows authenticated users with Subscriber-level privileges to inject malicious JavaScript that executes in other users' browsers. The flaw was disclosed by Patchstack and currently has no public exploit identified at time of analysis, but the low privilege bar makes it attractive for opportunistic attackers on multi-user WordPress sites. No CISA KEV listing or EPSS data was supplied with this report.
Unauthenticated reflected/stored Cross-Site Scripting in the Classified Listing WordPress plugin versions 5.3.8 and earlier allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The flaw was reported by Patchstack and carries CVSS 7.1 due to the scope change affecting the broader WordPress site context, though no public exploit identified at time of analysis. Risk is elevated for sites running the plugin in publicly accessible classified/marketplace deployments where untrusted visitor input is processed.
Reflected/stored cross-site scripting in the Favicon Rotator WordPress plugin (versions 1.2.11 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The CVSS scope-changed vector (S:C) indicates the injected script can impact resources beyond the vulnerable plugin component, typically the entire WordPress site context. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, but the unauthenticated nature combined with WordPress's broad install base elevates real-world concern.
Reflected/stored cross-site scripting in the WP Time Slots Booking Form WordPress plugin (versions up to and including 1.2.46) lets remote unauthenticated attackers inject script that executes in a victim's browser after user interaction. The flaw, reported by Patchstack and tracked as EUVD-2026-36994, carries a CVSS 7.1 due to the scope change against the WordPress origin, and no public exploit identified at time of analysis.
Broken access control in the QuantumCloud ChatBot plugin for WordPress (versions <= 7.9.7) allows authenticated low-privileged users (Subscriber role) to invoke restricted plugin functionality without proper authorization checks, leading to integrity tampering and availability disruption. Reported by Patchstack and tracked as EUVD-2026-36991, with no public exploit identified at time of analysis.
Stored or reflected cross-site scripting in the Quiz And Survey Master WordPress plugin (versions up to and including 11.0.0) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser after a single user interaction. Patchstack reports the issue under EUVD-2026-36990 with a CVSS 3.1 base score of 7.1 reflecting scope change and partial impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Broken authentication in the AutomatorWP WordPress plugin versions 5.6.7 and earlier allows authenticated users with low-level Subscriber privileges to bypass authorization controls, enabling integrity tampering and high availability impact on affected WordPress sites. The flaw is tracked via Patchstack and ENISA EUVD-2026-36989, with no public exploit identified at time of analysis. EPSS data was not provided, and the issue is not currently listed in CISA KEV.
Reflected cross-site scripting in the Paid Member Subscriptions WordPress plugin (versions through 2.17.3) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. No public exploit identified at time of analysis, but the vulnerability is reachable without authentication and carries a CVSS 3.1 score of 7.1 driven by scope change. The flaw was disclosed by Patchstack and affects the Cozmoslabs-maintained membership/subscription plugin used on WordPress sites.
Broken authentication in the FunnelKit Automations WordPress plugin (versions <= 3.7.3) allows authenticated low-privilege users (subscribers) to bypass intended authentication controls, leading to integrity tampering and availability impact on the WordPress site. The flaw is reported by Patchstack and tracked as EUVD-2026-36929, with no public exploit identified at time of analysis and no CISA KEV listing. Given subscriber-level registration is open on many WordPress sites, the practical attack surface is broader than the CVSS 7.1 score alone suggests.
Reflected/stored cross-site scripting in the WooCommerce Product Table Lite WordPress plugin (versions ≤ 4.6.3) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. Successful exploitation can lead to session hijacking, credential theft, or administrative actions performed in the context of an authenticated WordPress user, including site administrators. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated attack surface combined with WordPress's broad install base makes this a meaningful risk for sites running the plugin.