Skip to main content
CVE-2026-6803 MEDIUM This Month

Unauthenticated mass data deletion in the AI Copilot - Content Generator WordPress plugin (all versions through 1.4.12) exposes sites to complete wipeout of plugin-managed database records by any remote visitor. The vulnerability stems from a permanently open authorization gate: the base controller's getPermissions() returns an empty array causing the auth check to unconditionally pass, while the removeGroup and clear AJAX actions are excluded from getNoncedMethods(), bypassing nonce verification entirely. No active exploitation has been confirmed in CISA KEV and no public exploit code has been identified at time of analysis, though the attack requires no credentials and minimal technical skill given the straightforward AJAX endpoint targeting.

Authentication Bypass WordPress Ai Copilot Content Generator
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-12426 MEDIUM This Month

Sensitive information exposure in the Members - Membership & User Role Editor Plugin for WordPress (all versions through 3.2.22) allows unauthenticated network attackers to exploit the REST API filter `members_filter_protected_posts_for_rest` as a boolean oracle, revealing the existence, count, and inferred keyword content of posts explicitly restricted by membership rules. The mechanism abuses per-page pagination parameters to observe response count changes, enabling iterative inference of hidden post content without ever receiving the post body directly. No public exploit code has been identified at time of analysis, and this is not listed in CISA KEV, but the zero-authentication, network-accessible attack surface means any WordPress site using this plugin with sensitive restricted content is exposed by default.

WordPress Oracle Information Disclosure Members Membership User Role Editor Plugin
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-9017 MEDIUM This Month

Authorization bypass in the NEX-Forms WordPress plugin (all versions through 9.2.2) allows unauthenticated remote attackers to overwrite email metadata fields on arbitrary form entries and weaponize the victim WordPress site as an outbound email relay. The CVSS vector (PR:N/AC:L/AV:N) confirms zero authentication and zero configuration prerequisites beyond plugin activation. No public exploit has been identified at time of analysis, but the trivially low exploitation complexity makes mass scanning and abuse for phishing or spam distribution operationally realistic at scale.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-13250 MEDIUM This Month

Permanent, irreversible deletion of all Starter Template-imported site content in the Solace Extra WordPress plugin (all versions through 1.5.3) is achievable by fully unauthenticated network attackers due to the complete absence of authorization checks on the responsible AJAX handler. The handler is registered via wp_ajax_nopriv_, removing WordPress's authentication gate entirely, while the required nonce is leaked to any Subscriber-level user visiting any wp-admin page - eliminating both authentication and authorization barriers simultaneously. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the Wordfence disclosure includes exact file and line references enabling straightforward reproduction; the official CVSS score of 5.3 significantly understates the destructive impact.

Authentication Bypass WordPress PHP Solace Extra
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-6801 MEDIUM This Month

Context Blog WordPress theme (all versions through 1.3.5) exposes the full content of password-protected posts to unauthenticated remote attackers through the `context_blog_modal_popup` component, effectively bypassing WordPress's native content-gating mechanism. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivially low exploitation complexity with no authentication or user interaction required. No public exploit code or active exploitation has been identified at time of analysis, and real-world impact is bounded entirely by what site owners store behind password-protected posts.

WordPress Information Disclosure Context Blog
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-56240 MEDIUM PATCH This Month

Billing authorization bypass in Capgo (prior to 12.128.12) enables authenticated organizations with exhausted or expired usage credit grants to continue consuming paid API endpoints without valid entitlement. The divergence between the plugin's hot-path plan_valid expression and the authoritative billing gate creates a logic gap exploitable by any organization that reaches credit depletion, granting continued access to /updates, /stats, /channel_self, and attachment upload endpoints. No public exploit or CISA KEV listing exists at time of analysis, but the low attack complexity and network accessibility make this straightforward for any affected account holder to abuse.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-11901 MEDIUM This Month

Payment bypass in WP Hotel Booking (WordPress plugin, all versions ≤2.3.1) allows unauthenticated attackers to mark arbitrary hotel reservations as fully paid without submitting genuine payment. The PayPal IPN handler `web_hook_process_paypal_standard()` accepts an attacker-controlled `test_ipn=1` parameter that silently reroutes IPN validation to PayPal's sandbox environment, where a free sandbox account returns a legitimate 'VERIFIED' response; the handler then promotes any pending booking to completed while skipping critical post-verification checks on `receiver_email`, `mc_currency`, and `txn_id` uniqueness. No public exploit is identified at time of analysis, but the attack requires only a free PayPal sandbox account, making it nearly zero-cost for any motivated attacker.

WordPress Information Disclosure Wp Hotel Booking
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-5017 MEDIUM This Month

Time-based blind SQL injection in the Catalyst Connect Zoho CRM Client Portal WordPress plugin (all versions ≤ 2.2.0) enables authenticated administrators to exfiltrate arbitrary data from the underlying WordPress database via the unsanitized 'uid' parameter. The CVSS vector (PR:H) confirms exploitation requires administrator-level credentials, meaningfully constraining the attack surface. A public proof-of-concept is available on GitHub (BFS-Lab/BFSDV), and no confirmed patch version has been identified in available intelligence at time of analysis.

WordPress SQLi Zoho Catalyst Connect Zoho Crm Client Portal
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-12141 MEDIUM This Month

Stored XSS in Premium Addons for Elementor (all versions ≤4.11.84) lets authenticated contributors plant persistent JavaScript payloads via the `premium_tooltip_text` parameter that execute specifically when an administrator opens the injected post in the Elementor editor - not on public-facing pages. The root cause is unescaped output in the `print_template()` method registered on the `elementor/section/print_template` hook, meaning the attack surface is confined to the Elementor editor backend. No public exploit or CISA KEV listing has been identified at time of analysis; however, the scope-changed CVSS rating reflects real privilege-escalation potential from contributor to admin session context.

WordPress XSS Premium Addons For Elementor Powerful Elementor Templates Widgets
NVD VulDB
CVSS 3.1
4.9
EPSS
0.2%
CVE-2026-61858 MEDIUM PATCH This Month

Policy bypass in ImageMagick before 7.1.2-26 allows low-privileged local users to write files to filesystem paths explicitly blocked by the application's security policy framework. The APNG encoder and external delegate mechanisms omit required validation against policy.xml restrictions, enabling circumvention of configured path-based access controls. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the impact is meaningful in multi-tenant or shared-processing environments that rely on ImageMagick's policy layer as a security boundary.

Authentication Bypass Imagemagick
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-56372 MEDIUM PATCH This Month

Heap-based out-of-bounds read in ImageMagick before 7.1.2-19 is triggered when processing an image carrying an unrecognized magnify:method value, causing the magnify operation to read beyond allocated heap memory. Affected systems running any version prior to 7.1.2-19 can be impacted when a user or automated pipeline processes a specially crafted image file, with outcomes ranging from partial memory disclosure to application crash. No active exploitation is confirmed (not in CISA KEV) and no public proof-of-concept has been identified at time of analysis, and the CVSS 4.0 score of 4.8 (Medium) reflects the limited local/interactive nature of the attack.

Heap Overflow Denial Of Service Buffer Overflow Imagemagick
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-61465 MEDIUM PATCH This Month

Memory allocation policy bypass in ImageMagick's matrix-backed operations allows a crafted image to exhaust process memory and cause a denial of service. Affected across both the version 7 series (before 7.1.2-26) and the legacy version 6 series (before 6.9.13-51), the flaw arises because operations such as -canny fail to enforce the memory ceiling set in the configured policy, nullifying a key security control. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS 4.0 score of 4.8 reflects a local attack vector requiring user interaction, keeping real-world exposure moderate.

Denial Of Service Imagemagick
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-3367 MEDIUM This Month

Stored Cross-Site Scripting in the Lockme OAuth2 Calendars Integration WordPress plugin (all versions through 2.11.0) permits authenticated administrators to persist arbitrary JavaScript in four settings fields - App ID, App Secret, Bookings ID prefix, and API domain - which then executes in the browser of any user who loads the plugin settings page. The root cause is a missing sanitize callback in register_setting() (Plugin.php:197) paired with unescaped output via direct echo into an HTML value attribute without esc_attr() (lines 212, 223, 245, 256), a classic CWE-79 dual-failure pattern. Exploitation risk is highest in WordPress multisite environments where per-site administrators, who should not have cross-site authority, could poison settings to harvest session tokens or perform actions in the context of super-administrators. No public exploit code and no CISA KEV listing have been identified at time of analysis; an upstream patch changeset (revision 3495564) has been committed to the WordPress plugin repository.

WordPress XSS Lockme Calendars Integration
NVD
CVSS 3.1
4.4
EPSS
0.3%
CVE-2026-11591 MEDIUM This Month

Stored Cross-Site Scripting in the Widgets for Google Reviews WordPress plugin (versions ≤ 13.3) enables authenticated attackers holding editor-level WordPress roles to inject persistent JavaScript through admin settings, which then executes in any site visitor's browser on pages rendering the compromised widget. Exploitation is gated by two environmental prerequisites - multi-site WordPress deployments or single-site installs where unfiltered_html has been explicitly disabled - substantially narrowing the attack surface despite the network-accessible entry point. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the fix is referenced via a WordPress plugin repository changeset but an exact patched release version is not independently confirmed.

WordPress XSS Google Widgets For Google Reviews
NVD VulDB
CVSS 3.1
4.4
EPSS
0.3%
CVE-2026-11898 MEDIUM This Month

Stored Cross-Site Scripting in the White Label CMS WordPress plugin (versions through 2.7.12) permits authenticated administrators to persist arbitrary JavaScript payloads via plugin settings pages, which then execute in the browsers of other users who access affected pages. Exploitation is gated behind two hard constraints: the attacker must hold administrator-level WordPress credentials, and the target site must be either a WordPress multisite installation or a site where the unfiltered_html capability has been explicitly disabled. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

WordPress XSS White Label Cms
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-9738 MEDIUM This Month

Stored Cross-Site Scripting in the Print, PDF, Email by PrintFriendly WordPress plugin (versions through 5.5.10) allows authenticated administrators to inject persistent JavaScript via the 'content_position_css' parameter, which executes in the browsers of any user who visits an affected page. The scope change (S:C) in the CVSS vector confirms the injected script breaks out of the plugin's security context into victim browsers, enabling session hijacking, credential theft, or malicious redirects against site visitors. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

WordPress XSS Print Pdf Email By Printfriendly
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-12103 MEDIUM This Month

User enumeration via authorization bypass in the Wallet for WooCommerce WordPress plugin (versions up to and including 1.6.4) allows any authenticated subscriber-level user to extract login names, email addresses, and user IDs for every WordPress account on the site, including administrators. The flaw exists because the plugin exposes a 'search-user' nonce - required to call its AJAX search handler - directly in the wallet_param JavaScript object rendered on the publicly accessible WooCommerce My Account page, making it trivially obtainable by any logged-in user. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and wide subscriber-level accessibility make exploitation straightforward on sites with open user registration.

Authentication Bypass WordPress Wallet For Woocommerce
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-10628 MEDIUM This Month

Authorization bypass in Points and Rewards for WooCommerce (all versions through 2.10.0) allows authenticated subscribers to drain any user's reward points into a wallet balance, exfiltrate all user emails and point balances to an attacker-controlled Klaviyo account, and overwrite the site's Klaviyo API key - compounding financial fraud with third-party data exfiltration. Critically, the plugin exposes its authentication nonce (wps-wpr-verify-nonce) on every public-facing page via wp_localize_script(), and the wallet-draining handler is registered on the wp_ajax_nopriv_ hook, meaning the most financially damaging action - converting points to wallet balance - is exploitable by unauthenticated visitors. No public exploit code or CISA KEV listing identified at time of analysis.

Authentication Bypass WordPress Points And Rewards For Woocommerce
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-10041 MEDIUM This Month

Unauthorized cross-vendor manipulation in WCFM - Frontend Manager for WooCommerce (all versions ≤ 6.7.27) allows authenticated subscriber-level users to archive competitor vendors' product listings, toggle featured status on arbitrary listings, mark WooCommerce orders as completed, and permanently delete enquiries and bulk messages belonging to other vendors within the same marketplace. Multiple AJAX handlers in class-wcfm-ajax.php, class-wcfm-enquiry.php, and class-wcfm-notification.php accept user-controlled object IDs without verifying ownership - a textbook CWE-639 IDOR pattern enabling horizontal privilege escalation across vendor accounts. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass WordPress Wcfm Frontend Manager For Woocommerce
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-7559 MEDIUM This Month

Unauthorized affiliate management actions in the Affilia plugin for WordPress (all versions through 3.3.3) allow any subscriber-level authenticated user to approve or reject referrals, credit commissions to affiliate wallets, delete referral records, and modify banner options - enabling direct financial fraud against WooCommerce stores. The root cause is that the sole authentication gate relies on a WordPress nonce that is publicly embedded in every frontend page load via the JavaScript global `rtwalwm_global_params.rtwalwm_nonce`, making role-based access enforcement trivially bypassable. No public exploit code or CISA KEV listing is identified at time of analysis, but the low exploitation complexity and direct financial fraud impact make this a meaningful operational risk for any site running an affiliate program on this plugin.

Authentication Bypass WordPress Affiliate Program Referral Tracking For Woocommerce Wordpress Affilia
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-7620 MEDIUM This Month

Authorization bypass in the Notification for Telegram WordPress plugin (all versions through 3.5.1) allows authenticated subscribers to manipulate WordPress cron scheduling logic. Authenticated attackers with subscriber-level access or above can create, modify, or reschedule the nftb_cron_hook cron event due to missing authorization checks in nftncron.php, disrupting the plugin's background task scheduling for Telegram notifications. No public exploit or active exploitation has been identified at time of analysis; CVSS rates this Medium (4.3) with integrity-only impact.

Authentication Bypass WordPress Notification For Telegram
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-7544 MEDIUM This Month

Sensitive Information Exposure in the Mux Video Uploader WordPress plugin (all versions through 1.1.4) allows any authenticated WordPress user at subscriber level or higher to retrieve Mux API credentials via the `muxvideo_enqueue_settings_script` function. Mux API keys exposed this way could enable unauthorized access to the site's Mux account, including video management and potential billing abuse. Reported by Wordfence; no public exploit code or CISA KEV listing identified at time of analysis.

WordPress Information Disclosure Mux Video Uploader
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13116 MEDIUM This Month

Insecure Direct Object Reference in the PDF Invoices & Packing Slips for WooCommerce plugin (versions through 5.14.0) allows authenticated contributors to mint permanent, session-free download links for arbitrary third-party orders, exposing customer PII including names, billing and shipping addresses, email addresses, phone numbers, line items, payment details, and customer notes. Exploitation is gated on a non-default plugin setting - the 'Document link access type' must be configured to 'full' rather than the default 'logged_in'; the default configuration signs URLs with a per-session nonce, neutralising the attack path. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass WordPress Pdf Invoices Packing Slips For Woocommerce
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-3552 MEDIUM PATCH This Month

Unauthorized data modification in SurfLink - Link Manager & Backup Restore (all versions up to 2.6.0) allows authenticated attackers with Subscriber-level access to inject arbitrary URLs into the plugin's 410 Gone database table, causing those site paths to return HTTP 410 Gone responses to all visitors. The root cause is a missing capability check (current_user_can()) and absent nonce verification (check_ajax_referer()) in the ajax_import_410() AJAX handler - a conspicuous gap given that every other AJAX handler in the same PHP class correctly implements both controls. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the low authentication barrier and clear impact on site availability and SEO ranking make this a meaningful risk for affected WordPress deployments.

Authentication Bypass WordPress Denial Of Service Surflink Link Manager Backup Restore
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-8678 MEDIUM This Month

Authorization bypass in the MyParcel (woocommerce-myparcel) WordPress plugin allows any authenticated subscriber-level user to view and modify shipment options - including carrier, delivery type, package type, label count, weight, signature requirement, and insurance - on arbitrary WooCommerce orders they do not own. All plugin versions up to and including 4.25.1 are affected, with the flaw rooted in missing capability checks on administrative AJAX handlers. No public exploit or active exploitation has been identified at time of analysis, though the low privilege bar (any registered WordPress user) expands the realistic attacker pool significantly for e-commerce stores.

Authentication Bypass WordPress Myparcel
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-1832 MEDIUM This Month

Unauthorized cache deletion in the ThriveDesk WordPress plugin (all versions through 2.1.7) is possible by any authenticated user holding a Subscriber-level role or above, due to a missing capability check on the `thrivedesk_clear_cache` AJAX action. The root cause is a CWE-862 Missing Authorization flaw in `includes/helper.php` - any logged-in user can invoke the privileged cache-clearing function without role validation. No public exploit has been identified at time of analysis and no CISA KEV listing exists; real-world impact is bounded to cache disruption and potential performance degradation rather than data loss or code execution.

Authentication Bypass WordPress Agentic Help Desk Plugin For Wordpress Live Chat Ai Chatbot Ticketing Thrivedesk
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12738 MEDIUM This Month

Authorization bypass in the WP Easy Pay WordPress plugin (versions ≤4.5.0) allows any authenticated WordPress user at subscriber level or above to set arbitrary posts and pages to 'draft', silently unpublishing site content without editorial authorization. The flaw stems from missing capability checks in the plugin's action handlers (wpep-setup.php), confirmed by Wordfence with direct source code references. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, but the low barrier to exploitation - any registered user qualifies - makes this a meaningful risk on sites with open user registration.

Authentication Bypass WordPress Wp Easy Pay Payment And Donation Form Builder For Square
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-61448 LOW PATCH Monitor

Stored XSS execution in Parse Server (versions 9.0.0 through pre-9.10.0-alpha.2 and all 8.x releases through 8.6.83) allows authenticated users with file-upload permissions to inject persistent JavaScript that executes in the application's origin against other users, but only when a cloud-based storage adapter is configured. By crafting a deliberately malformed Content-Type header - such as 'image' or 'image/' - an attacker exploits a gap in the mime-package lookup path that renders the fileUpload.fileExtensions blocklist ineffective, causing the malformed value to be stored verbatim in Amazon S3, Google Cloud Storage, or Azure Blob Storage. Browsers receiving a syntactically invalid Content-Type fall back to MIME sniffing and render HTML file bodies as web pages in the application's origin; no public exploit has been identified and the vulnerability is absent from CISA KEV, but the stored nature means a single successful upload persists as a live threat until patched or the file is removed.

XSS Google Microsoft File Upload Parse Server
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-61870 LOW PATCH Monitor

Memory exhaustion denial of service in ImageMagick before 7.1.2-26 results from an unreleased memory leak in the VIFF image encoder triggered by failed memory allocation during image processing. Locally-positioned attackers without privileges can supply specially crafted VIFF images to repeatedly trigger this leak, gradually exhausting system memory. The CVSS 4.0 score of 2.1 with local attack vector, high complexity, and additional prerequisites indicates this is a low-severity, operationally limited issue; no public exploit code or CISA KEV listing has been identified at time of analysis.

Denial Of Service Imagemagick
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy