Skip to main content

WordPress

17354 CVEs vendor

Monthly

CVE-2026-15324 MEDIUM This Month

Stored Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (all versions through 4.4.14) allows authenticated shop managers to persist malicious scripts via the unsanitized 'row_type' parameter, executing in any user's browser upon visiting the compromised My Account page. The CVSS scope change (S:C) confirms cross-user impact - injected scripts run in victim sessions, enabling session hijacking or credential theft beyond the attacker's own context. No public exploit code or CISA KEV listing is confirmed at time of analysis; risk is substantially gated by the shop manager privilege requirement.

WordPress XSS Sysbasics Customize My Account For Woocommerce Live My Account Customizer
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-15103 HIGH This Week

Privilege escalation in the WPFunnels (Funnel Builder for WooCommerce) plugin for WordPress lets authenticated users holding the wpf_manage_funnels capability — typically the plugin's Funnel Manager custom role — rewrite the global wp_user_roles option and grant their own role full administrator capabilities. All versions up to and including 3.12.8 are affected, and Wordfence rates it CVSS 8.8 (High). No public exploit has been identified at time of analysis, but the root cause is trivial (an unvalidated option name reaching update_option()), making reliable weaponization straightforward for a low-privileged insider.

Privilege Escalation WordPress Wpfunnels Funnel Builder For Woocommerce With Checkout One Click Upsell
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-15727 MEDIUM This Month

SQL injection in the WP Bulk Delete WordPress plugin (all versions up to and including 1.4.2) allows authenticated attackers holding administrator-level privileges to append arbitrary SQL to existing queries via the delete_user_roles POST parameter, enabling full database read access. The root cause is a code-level stripping of WordPress's built-in magic-quotes protection: wp_unslash() is called on the raw POST body before parse_str() decomposes it, leaving attacker-controlled values fully unescaped when they reach the SQL sink in class-delete-api.php. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; real-world risk is bounded by the administrator authentication requirement.

SQLi WordPress Wp Bulk Delete
NVD VulDB
CVSS 3.1
4.9
EPSS
0.4%
CVE-2026-15021 MEDIUM This Month

Stored Cross-Site Scripting in the wpForo Forum WordPress plugin (all versions through 3.1.1) allows authenticated attackers with subscriber-level access to permanently inject malicious JavaScript via the 'location' profile field. The root failure is WordPress's native sanitize_text_field() function, which strips tags but leaves double quotes unencoded, enabling attribute breakout from an href context into injected event-handler attributes. With a CVSS scope change (S:C), successful exploitation can impact sessions of any user - including administrators - who views a poisoned profile page, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis.

WordPress XSS Wpforo Forum
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15005 HIGH This Week

Remote code execution in the Loco Translate WordPress plugin (all versions up to and including 2.8.5) is reachable through a Cross-Site Request Forgery flaw in the execTemplate function, where missing nonce validation lets an unauthenticated attacker who tricks a logged-in administrator into clicking a crafted link supply a php://filter stream wrapper as the 'template' parameter, bypassing path validation and reaching a PHP include sink to execute arbitrary code. The chain converts a classic CSRF (CWE-352) into full server compromise, carrying CVSS 8.8 (C:H/I:H/A:H). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

CSRF PHP WordPress Loco Translate
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13741 HIGH This Week

Privilege escalation in the Digits WordPress Mobile Number Signup and Login plugin (all versions through 9.1.0.5) lets authenticated Subscriber-level users promote themselves to Administrator by submitting a forged digits_reg_userrole value during a profile update. The flaw stems from the dig_update_wpwc_custom_fields() function failing to validate the caller's authorization or the requested role. There is no public exploit identified at time of analysis, but the low barrier (any registered user on an affected site with the DIGITS User Role field configured) and full-administrator outcome make this a high-priority patching item.

Privilege Escalation WordPress Digits
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13755 MEDIUM This Month

Stored Cross-Site Scripting in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) allows authenticated contributors to inject persistent malicious scripts via the price_wrapper shortcode attribute, due to missing sanitization and output escaping in class.shortcodes.php. A compromised or malicious contributor account can plant the payload in any page or post, where it executes against visiting victims - but only those who carry the referenced ticket ID in their cart cookie, materially narrowing the realistic victim pool. No active exploitation has been confirmed in CISA KEV, and no EPSS data was provided in the intelligence feed.

WordPress XSS Tickera Sell Tickets Manage Events
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15610 MEDIUM This Month

Authorization bypass in the WPBot AI ChatBot plugin for WordPress (all versions ≤ 8.5.6) permits any subscriber-level authenticated user to invoke the plugin's RAG document re-embedding functionality without authorization, directly modifying the rag_documents database table and triggering calls to the site owner's paid AI APIs (OpenAI, Gemini, OpenRouter, or xAI). The root cause is a missing capability check in class-qcld-bot-rag.php, confirmed by Wordfence and traceable to specific code paths in qcld-wpwbot.php. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS 4.3 Medium score reflects constrained direct security impact - though financial harm from API credit exhaustion represents the primary real-world risk.

Authentication Bypass WordPress Wpbot Ai Chatbot For Live Support Lead Generation Ai Services
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15106 MEDIUM This Month

Unauthorized deletion of chat session records in the WPBot WordPress plugin affects all versions through 8.5.6, allowing unauthenticated remote attackers to wipe arbitrary conversation history and user records by supplying a crafted userid parameter to unprotected endpoints. The root cause is a missing authorization check (CWE-862) in the chat sessions module, confirmed by Wordfence with source-level references to the vulnerable code in wpbot-chat-sessions.php. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS-assigned score of 5.3 Medium reflects the limited scope: data deletion with no confidentiality or availability impact on the service itself.

Authentication Bypass WordPress Wpbot Ai Chatbot For Live Support Lead Generation Ai Services
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-15407 MEDIUM This Month

Authorization bypass in the Themify Builder WordPress plugin (all versions through 7.7.7) permits any authenticated subscriber-level user to overwrite or delete CSS stylesheet files for arbitrary posts - including private and draft posts owned by other users - and modify plugin-scoped font options site-wide. The CSRF nonce (tf_nonce) nominally required to gate these actions is broadcast to every authenticated user visiting any public front-end builder page via wp_localize_script, making it trivially collectible and rendering it ineffective as a security control. No active exploitation is confirmed (not in CISA KEV) and no public exploit has been identified at time of analysis.

Authentication Bypass CSRF WordPress Themify Builder
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-15651 MEDIUM This Month

SQL Injection in the WP TripAdvisor Review Slider WordPress plugin (all versions through 14.6) allows authenticated attackers holding administrator-level credentials to append arbitrary SQL to existing queries via the unsanitized 'filtersource' parameter, exposing sensitive data stored in the WordPress database. The flaw originates from insufficient escaping and missing prepared statement usage across multiple display and admin class files identified by Wordfence. No public exploit code or active exploitation has been identified at time of analysis, and the high privilege requirement significantly constrains real-world impact.

SQLi WordPress Wp Tripadvisor Review Slider
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-15008 HIGH This Week

Arbitrary file deletion in the Uncanny Automator WordPress plugin (all versions through 7.3.1.4) lets unauthenticated attackers delete any file on the server via untrusted PHP object deserialization in the fr_token function, and deleting a critical file such as wp-config.php can pivute WordPress into an installation/setup state that yields remote code execution. Exploitation is gated by a specific setup: a Forminator form must be connected to an Uncanny Automator recipe whose trigger is configured for 'Everyone', which is what exposes the deserialization sink to anonymous form submissions. A self-contained gadget chain via Action_Helpers_Email::__destruct() ships inside the plugin, so no external gadget library is needed; reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.

PHP RCE WordPress Deserialization Uncanny Automator Easy Automation Integration Webhooks Workflow Builder Plugin
NVD
CVSS 3.1
8.1
EPSS
0.6%
CVE-2026-15022 MEDIUM This Month

{id} - complicates both detection and opportunistic exploitation, as the attacker cannot independently fire the injected SQL. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not provided.

SQLi WordPress Tutor Lms Elearning And Online Course Solution
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13754 MEDIUM This Month

SQL Injection in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) permits authenticated attackers holding a custom-level role or above to append arbitrary SQL to existing queries via the unsanitized 's' search parameter, enabling full database read access. The vulnerability originates in the better-attendees-and-tickets addon (index.php lines 50, 485, and 502) and is confirmed by Wordfence with source code evidence. No active exploitation is confirmed (no CISA KEV listing) and no public exploit has been identified at time of analysis, keeping real-world urgency moderate despite the High confidentiality impact.

SQLi WordPress Tickera Sell Tickets Manage Events
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-7543 HIGH This Week

Stored cross-site scripting in the Breakdance WordPress page-builder plugin (versions through 2.7.1) lets unauthenticated attackers inject persistent JavaScript through the 'fields' parameter, which then runs in the browser of any user who views the affected page. The flaw carries a CVSS 3.1 score of 7.2, elevated by a scope change (S:C) because the payload executes in visitors' browser sessions rather than the server context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Wordfence discovered and reported it.

WordPress XSS Breakdance
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-13767 MEDIUM This Month

Second-order SQL injection in Quiz Master Next (QSM) for WordPress through version 11.2.0 allows authenticated attackers holding Author-level access to plant SQL payloads in quiz page data that execute whenever any user - including administrators - views the affected quiz's Questions tab. The root cause is a two-stage failure: the qsm_ajax_save_pages() AJAX handler sanitizes user-supplied 'pages' values only with sanitize_text_field() (which strips HTML/PHP tags but does not escape SQL-special characters), then qsm_options_questions_tab_content() at line 143 reconstructs those stored values into an IN() clause via implode() with no $wpdb->prepare() call and no integer casting. No public exploit code has been identified at time of analysis; however, the split-phase attack pattern - where payload planting and execution are decoupled - commonly evades first-order WAF detection and standard code scanning, elevating practical risk beyond the 6.5 CVSS score alone.

SQLi WordPress Quiz And Survey Master Qsm Quiz Maker Survey Maker
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-15350 MEDIUM This Month

Authorization bypass in The Cache Purger WordPress plugin (all versions through 2.3.20) allows any subscriber-level authenticated user to permanently destroy the plugin's entire cache-purge audit log (wp-content/purge.log). The root cause is that the tcp_log_purge nonce - the only credential required to trigger log deletion - is rendered in the WordPress admin bar on frontend pages visible to all authenticated users, including the lowest-privilege subscribers, making the authorization check trivially bypassable. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress The Cache Purger
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15099 MEDIUM This Month

Stored cross-site scripting in the WP Delicious (formerly Delicious Recipes) WordPress plugin versions up to and including 1.10.2 allows authenticated Contributor-level users to inject arbitrary JavaScript via unsanitized `javascript:` URIs embedded in recipe step link attributes. The `wrap_direction_text()` function interpolates attacker-controlled `href` values directly into anchor tags using `sprintf()` without invoking WordPress's `esc_url()`, enabling payload execution in the browser of any privileged user who clicks the poisoned link while previewing or viewing the affected recipe post. No CISA KEV listing or public exploit code has been identified at time of analysis, though Wordfence's source-level disclosure provides sufficient detail for independent reproduction.

WordPress XSS Wp Delicious Recipe Plugin For Food Bloggers Formerly Delicious Recipes
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12979 MEDIUM POC PATCH This Month

Path traversal in FunnelKit WordPress plugin before 3.15.0.6 enables authenticated administrators to delete arbitrary .json files outside the plugin's intended directory during template-import operations. The root cause is CWE-73 (External Control of File Name or Path): the deletion handler accepts user-supplied paths without canonicalization or boundary enforcement. Leveraging CVSS scope change (S:C), a malicious admin can target configuration files belonging to other installed plugins, causing cascading denial-of-service across the WordPress installation. A publicly available exploit exists; the vulnerability is not in the CISA KEV catalog at time of analysis.

Path Traversal Denial Of Service WordPress Funnelkit
NVD WPScan
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-12978 HIGH POC PATCH This Week

Reflected Cross-Site Scripting in the FunnelKit WordPress plugin before 3.15.0.6 lets unauthenticated attackers inject arbitrary JavaScript into a page-builder AJAX response, which executes in the browser of a logged-in user who opens an attacker-crafted link. The flaw is only reachable when the Divi builder integration is active, and publicly available exploit code exists though there is no public exploit identified as actively exploited at time of analysis. EPSS was not provided and the vulnerability is not on CISA KEV, so widespread exploitation is unconfirmed.

WordPress XSS Funnelkit
NVD WPScan
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-12907 POC PATCH This Week

The RTMKit WordPress plugin before 2.0.9 does not perform a proper capability check on one of its -builder AJAX actions, allowing users with at least the Author role to create and activate a site-wide template that overrides the header, footer or other global areas displayed to all visitors, which is normally restricted to administrators.

WordPress Information Disclosure Rtmkit
NVD WPScan
EPSS
0.1%
CVE-2026-12906 POC PATCH This Week

The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other users' private, draft, pending, scheduled and trashed posts.

WordPress Information Disclosure Rtmkit
NVD WPScan
EPSS
0.1%
CVE-2026-12869 MEDIUM POC PATCH This Month

Stored cross-site scripting in the Header Footer Builder for Elementor WordPress plugin before 1.2.1 permits any Contributor-level user to inject persistent JavaScript into every page of the affected site by importing a crafted template through the plugin's dashboard action, which incorrectly requires only edit_posts capability rather than administrator access. Once the malicious Elementor HTML widget is imported with site-wide display scope, the payload executes in the browser of every visitor and administrator who loads the site - enabling session hijacking, credential theft, or admin account takeover. A publicly available exploit exists per WPScan (EUVD-2026-44878); no CISA KEV listing at time of analysis.

WordPress XSS Header Footer Builder For Elementor
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-12684 POC PATCH This Week

The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files (bounded to an image and video allowlist) to the Media Library and create attachment posts, leading to media library pollution and disk space exhaustion.

WordPress Information Disclosure Customer Reviews For Woocommerce
NVD WPScan
EPSS
0.2%
CVE-2026-12585 POC PATCH This Week

The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is enabled.

WordPress Information Disclosure Abandoned Cart Lite For Woocommerce
NVD WPScan
EPSS
0.1%
CVE-2026-12525 POC PATCH This Week

The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields, allowing users with at least the Subscriber role to escalate their privileges to Administrator by submitting a crafted value while updating their own profile, on sites where the Redux Framework WordPress plugin before 4.5.13's user-profile (Users extension) feature is enabled.

Privilege Escalation WordPress Redux Framework
NVD WPScan
EPSS
0.1%
CVE-2026-12510 POC PATCH This Week

The AI Engine WordPress plugin before 3.5.5 does not verify that a user owns the chatbot conversation referenced by a client-supplied identifier, allowing users with subscriber-level access to read other users' private conversations and take over their conversation records when the discussions feature is enabled.

WordPress Information Disclosure Ai Engine
NVD WPScan
EPSS
0.1%
CVE-2026-12492 POC PATCH This Week

The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well as to create new accounts.

WordPress Information Disclosure Happy Coders Otp Login For Woocommerce
NVD WPScan
EPSS
0.1%
CVE-2026-12395 POC PATCH This Week

The WP Job Portal WordPress plugin before 2.5.5 does not properly sanitize and escape a parameter before using it in a SQL query, allowing authenticated users with a subscriber-level (self-registerable) account to perform SQL injection attacks.

SQLi WordPress Wp Job Portal
NVD WPScan
EPSS
0.2%
CVE-2026-11866 POC PATCH This Week

The Appointment Booking Plugin WordPress plugin before 5.6.3 does not validate a CSRF nonce on several state-changing actions handled by its central request dispatcher, allowing attackers to perform privileged actions, such as overwriting the booking-form configuration or disconnecting the connected payment gateway, via Cross-Site Request Forgery against a logged-in administrator.

CSRF WordPress Appointment Booking Plugin
NVD WPScan
EPSS
0.1%
CVE-2026-11371 MEDIUM POC PATCH This Month

Stored cross-site scripting via prompt injection in the BetterDocs WordPress plugin (versions 4.0.0 through 4.5.5) allows unauthenticated attackers to permanently implant malicious JavaScript into documentation pages by manipulating the plugin's AI-generated summary feature. Because the AI output is stored unsanitized and the generation endpoint requires no authentication, an attacker can craft adversarial prompts that cause the AI to produce and persist executable script payloads - payloads that then fire in the browser of every subsequent visitor, including WordPress administrators. A publicly available exploit exists via WPScan; no active exploitation confirmed in CISA KEV at time of analysis.

WordPress XSS Betterdocs
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-15458 MEDIUM This Month

SQL Injection in the SEO Booster WordPress plugin (versions up to and including 7.3.1) enables authenticated administrators to append arbitrary SQL to existing queries via the unsanitized 'sort_field' parameter, exposing sensitive database contents. The vulnerability resides in seo-booster.php (lines 389, 404, 406) where user-supplied sort input is neither escaped nor parameterized before being incorporated into SQL execution. Despite a high confidentiality impact, exploitation is gated behind WordPress administrator-level credentials (PR:H), substantially limiting the realistic attack surface. No public exploit identified at time of analysis; a WordPress Trac changeset (3606177) suggests a patch has been committed.

SQLi WordPress Seo Booster
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-15013 CRITICAL Act Now

Authentication bypass in the miniOrange SAML Single Sign On - SSO Login plugin for WordPress (all versions through 5.4.3) lets unauthenticated attackers forge SAML assertions and seize any account, including administrator. The plugin trusts the SignatureMethod algorithm declared inside the attacker-supplied SAMLResponse, enabling an RSA-to-HMAC signature confusion attack that yields valid WordPress auth cookies and full admin takeover. Reported by Wordfence; no public exploit identified at time of analysis, but the flaw is trivially exploitable and carries a 9.8 CVSS.

Authentication Bypass WordPress Jwt Attack Saml Single Sign On Sso Login
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-13042 HIGH This Week

Stored cross-site scripting in the RPB Chessboard WordPress plugin (all versions through 8.1.2) lets unauthenticated attackers plant persistent JavaScript through comment content that executes in the browser of anyone who later views the affected page. The novel aspect, per Wordfence, is that WordPress's normal save-time kses sanitization is bypassed because the payload uses only kses-allowed tags/attributes (an <a> element with title and href) and the dangerous attribute-breaking markup is assembled entirely at render time by the plugin's own comment_text filter. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, no-interaction entry point makes it a practical drive-by injection risk.

WordPress XSS Rpb Chessboard
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-15445 MEDIUM This Month

Time-based SQL injection in the SEO Booster WordPress plugin (versions up to and including 7.3.1) allows authenticated administrators to extract sensitive database contents by manipulating the unquoted 'orderby' parameter in the Google Search Console list table component. The root cause is that developer-applied sanitization functions esc_sql() and sanitize_text_field() fail to neutralize SQL keywords, subquery syntax, commas, or parentheses when used in an ORDER BY clause context, leaving the clause fully attacker-controlled. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS score data was not provided.

SQLi WordPress Seo Booster
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-15306 MEDIUM This Month

Reflected Cross-Site Scripting in the Product Feed Manager For WooCommerce WordPress plugin (all versions through 7.6.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unescaped 's' search parameter, which executes in a victim's browser upon interaction with a crafted link. The vulnerability is rooted in insufficient sanitization and output escaping within the plugin's admin-facing PHP classes, as confirmed by Wordfence with direct source code references to class-rex-product-feed-actions.php and class-rex-product-feed.php. No public exploit code has been identified at time of analysis, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog.

WordPress XSS Product Feed Manager For Woocommerce Sell On 200 Online Marketplaces
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-15652 MEDIUM This Month

Stored Cross-Site Scripting in the Easy Accordion - AI-Powered FAQ & Accordion Blocks, Product FAQ plugin (all versions ≤ 3.1.6) enables authenticated attackers holding contributor-level WordPress roles to inject persistent JavaScript payloads via the unsanitized 'align' block attribute. The injected script executes in the browser of any user - including administrators - who views the affected page, making session hijacking and privilege escalation realistic follow-on impacts. No public exploit code or CISA KEV listing has been identified at time of analysis, but Wordfence source code references pinpoint the exact vulnerable lines, substantially lowering the barrier to exploitation.

WordPress XSS Easy Accordion Ai Powered Faq Accordion Blocks Product Faq
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12941 MEDIUM This Month

SQL injection in MultiVendorX (WooCommerce Multivendor Marketplace) plugin versions up to and including 5.0.9 allows any authenticated WordPress user to extract sensitive data from the database via the unparameterized 'order_by' argument in the transactions REST endpoint. Critically, the default plugin configuration automatically approves store owner registrations, meaning any subscriber-level WordPress account holder can self-elevate to store_owner role via the public Stores REST endpoint, then immediately exploit the injection - effectively lowering the real-world privilege bar to any authenticated user. No public exploit code or CISA KEV listing has been identified at time of analysis, but the default-on privilege escalation path substantially raises exploitability beyond the PR:L CVSS score suggests.

SQLi WordPress Multivendorx Woocommerce Multivendor Marketplace Ai Powered Solutions
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-14987 MEDIUM This Month

Stored XSS in GiveWP's Sequoia donation template allows authenticated attackers with give worker-level access to inject persistent JavaScript payloads via the 'twitter_message' template setting, affecting all WordPress installations running plugin versions through 4.16.3. The injected payload is not sanitized before being embedded inside a JavaScript template literal in the Sequoia confirmation view's social-sharing component, and executes in the donor's browser specifically when they click the 'Share on Twitter' button after completing a donation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the Wordfence disclosure includes direct source code references confirming the unsanitized evaluation path.

WordPress XSS Givewp Donation Plugin And Fundraising Platform
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12409 MEDIUM This Month

Cross-site request forgery in the Landing Page Builder - Coming Soon Page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin (all versions up to and including 1.5.3.6) allows unauthenticated remote attackers to manipulate arbitrary WordPress posts by sending a forged AJAX request that inherits an authenticated editor or administrator's browser session. Missing nonce validation on the ulpb_admin_ajax function means a victim who clicks a crafted link while logged in unknowingly authorizes post creation, modification of titles, slugs, types, status, and injection of ULPB_DATA post meta. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified; EPSS data was not provided in available intelligence.

CSRF WordPress Landing Page Builder Coming Soon Page Maintenance Mode Lead Page Wordpress Landing Pages
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-12753 HIGH This Week

SQL injection in ThemeHunk's Advance Product Search - Voice & Ajax Search for WooCommerce plugin (all versions ≤ 1.4.4) lets unauthenticated attackers inject arbitrary SQL through the 's' and 'match' search parameters, enabling extraction of sensitive database contents such as user credentials and order data. The flaw stems from unescaped, unprepared query construction in the plugin's AJAX search backend and is remotely exploitable without authentication or user interaction. Reported by Wordfence; no public exploit identified at time of analysis and not listed in CISA KEV.

SQLi WordPress Advance Product Search Voice Ajax Search For Woocommerce
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-12434 MEDIUM This Month

Sensitive information exposure in the List Category Posts WordPress plugin (all versions through 0.95.0) allows authenticated contributors to read non-public posts belonging to other users - including pending-review, scheduled, and trashed content with full body text, excerpts, authors, and custom-field metadata. Exploitation requires only a contributor-level account and the ability to embed the native [catlist] shortcode in a draft post, then preview it, triggering the flawed sanitize_status logic. This is a confirmed bypass of the incomplete authorization fix shipped in version 0.93.0 for CVE-2025-11377, indicating the root authorization flaw was never fully remediated. No public exploit code or CISA KEV listing is identified at time of analysis.

Authentication Bypass WordPress Information Disclosure List Category Posts
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15336 MEDIUM This Month

Missing authorization in the Catch Themes Demo Import WordPress plugin (versions up to and including 3.3) allows any subscriber-level authenticated user to force-install a hardcoded third-party plugin onto the target WordPress site. The vulnerability exists because catch_themes_demo_import_activate_plugin(), hooked on admin_init, invokes Plugin_Upgrader::install() to fetch and install 'essential-content-types' from WordPress.org before performing the current_user_can('activate_plugins') capability check - a classic authorization-check inversion. No public exploit code has been identified at time of analysis, and the constrained impact (only one hardcoded plugin can be installed, not arbitrary ones) meaningfully limits real-world severity despite the low authentication requirement.

Authentication Bypass WordPress Catch Themes Demo Import
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13005 MEDIUM This Month

Stored Cross-Site Scripting in the MxChat AI Chatbot & Content Generation WordPress plugin (versions up to and including 3.2.10) enables authenticated administrators to persist malicious scripts through admin settings panels. Exploitation is constrained to WordPress multi-site environments or single-site installs where the unfiltered_html capability has been explicitly disabled, narrowing the realistic attack surface significantly. No public exploit code or active exploitation (CISA KEV) has been identified; CVSS 4.4 Medium reflects the restricted conditions and high privilege requirement.

WordPress XSS Mxchat Ai Chatbot Content Generation For Wordpress
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-54254 PyPI MEDIUM PATCH GHSA This Month

Pixeldrain API key exfiltration in cyberdrop-dl-patched (versions 8.5.0 through 9.13.x) allows a network attacker who controls a lookalike domain (e.g., evil-pixeldrain.com) to receive the victim's Pixeldrain Authorization header when the tool processes a crafted URL. The root cause is substring-based host matching: any domain containing 'pixeldrain' as a substring is accepted as a valid Pixeldrain host, causing the tool to blindly send API credentials to attacker-controlled infrastructure. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the attack path is straightforward and fully described in the advisory.

WordPress Information Disclosure
NVD GitHub
CVE-2026-12997 HIGH This Week

Arbitrary file disclosure in the Gravity Forms WordPress plugin (all versions through 2.10.4) lets unauthenticated attackers read sensitive files from the web server by abusing the 'gform_uploaded_files' parameter against the process_send_resume_link endpoint. Reported by Wordfence, the flaw carries CVSS 7.5 and is exfiltrated by directing the traversal-retrieved file to an attacker-controlled email as a form notification attachment. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Path Traversal WordPress Gravity Forms
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-12512 HIGH POC PATCH This Week

UNION-based SQL injection in the Quotes Llama WordPress plugin (all versions before 3.1.6) lets unauthenticated remote attackers inject arbitrary SQL through an unsanitized request parameter and read any data from the WordPress database, including user password hashes. Publicly available exploit code exists and a vendor patch has been released; the flaw carries a high EPSS-relevant profile because it is remotely reachable with no authentication or user interaction. This is no public exploit identified as actively exploited (not in CISA KEV), but working PoC availability makes opportunistic mass-scanning likely.

SQLi WordPress Quotes Llama
NVD WPScan VulDB
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-12281 HIGH POC PATCH This Week

Authentication bypass in the Shibboleth WordPress plugin before 2.5.4 lets remote unauthenticated attackers forge identity headers and log in when the HTTP header identity mode is enabled without an anti-spoofing key. Because the plugin fails open rather than closed, any request carrying identity headers is trusted as an authenticated session, and with automatic account creation plus the default administrator role mapping an attacker can provision and sign in as a brand-new administrator. Rated CVSS 8.1 (CWE-287); publicly available exploit code exists (WPScan), but it is not listed in CISA KEV.

Authentication Bypass WordPress Shibboleth
NVD WPScan VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-11580 MEDIUM POC PATCH This Month

Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before version 2.4.17 allows any authenticated Contributor-level (or higher) user to duplicate arbitrary posts they do not own by exploiting a missing per-object authorization check in the plugin's AJAX post-duplication action. The attacker gains a published copy of the target post under their own ownership and can extract private post metadata, including secrets stored by other Kali Forms instances on the same site. A publicly available proof-of-concept exists per WPScan; the vulnerability is not currently listed in the CISA KEV catalog, though the low privilege bar and default-enabled feature make it an actionable risk on any multi-user WordPress installation running the affected plugin.

Authentication Bypass WordPress Kali Forms Contact Form Drag And Drop Builder
NVD WPScan VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-11579 MEDIUM POC PATCH This Month

Unauthenticated file upload to the WordPress Media Library is possible in Kali Forms - Contact Form & Drag-and-Drop Builder versions before 2.4.17, because the plugin's upload handler accepts file submissions without verifying that a corresponding form with a file-upload field actually exists on the site. Any unauthenticated remote attacker can directly invoke the upload endpoint and deposit files into the Media Library. Impact is bounded by WordPress's core MIME type allowlist, which prevents upload of executable files and thereby rules out code execution; a publicly available proof-of-concept is confirmed by WPScan, and no CISA KEV listing is present at time of analysis.

File Upload RCE WordPress Kali Forms Contact Form Drag And Drop Builder
NVD WPScan VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-13001 CRITICAL Act Now

Arbitrary file upload in the Podlove Podcast Publisher WordPress plugin (all versions through 4.5.1) allows remote attackers to place attacker-controlled files on the server via the image caching path, potentially escalating to remote code execution. The root cause is incomplete file-type validation in the plugin's image cache handling, where a cached file's extension was trusted rather than re-derived from the actual validated image type. Reported by Wordfence and fixed upstream; no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

RCE WordPress Podlove Podcast Publisher
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2026-9341 MEDIUM This Month

Insecure Direct Object Reference in the Academy LMS WordPress plugin (all versions through 3.8.0) allows authenticated attackers with Subscriber-level access to read, overwrite, or delete the private lesson notes of any user - including administrators - and to falsify lesson-completion records for arbitrary accounts. Three AJAX handlers (save_lesson_note, get_lesson_note, complete_lesson_video) perform no ownership validation on a user-controlled key, making cross-user data manipulation trivially achievable by any registered site user. No public exploit identified at time of analysis, but the attack surface is fully described via Wordfence's public threat-intelligence entry and source-level code references.

Authentication Bypass WordPress Academy Lms
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-12988 MEDIUM POC PATCH This Month

Account takeover in the WP 2FA WordPress plugin (all versions before 3.1.1.2) is achievable by any attacker who has obtained a valid user's credentials. The plugin fails to verify that the email address submitted during two-factor authentication enrollment belongs to the authenticated account (CWE-862: Missing Authorization), allowing the attacker to redirect the setup verification code to an attacker-controlled inbox and complete 2FA enrollment on behalf of the victim. A publicly available proof-of-concept exists per WPScan; this vulnerability is not currently listed in the CISA KEV catalog, but the combination of a PoC, medium-prevalence deployment, and account-takeover impact warrants prompt patching.

Authentication Bypass WordPress Wp 2Fa
NVD WPScan
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12583 HIGH POC PATCH This Week

Unauthenticated PHP object injection in the Newsletters WordPress plugin before 4.15 lets remote attackers deserialize attacker-controlled data submitted through a public-facing form, then leverage a property-oriented gadget chain bundled inside the plugin itself to write arbitrary files and achieve remote code execution on the host. Publicly available exploit code exists (published via WPScan), though there is no public exploit identified as being used in active attacks and the flaw is not listed in CISA KEV. The self-contained gadget chain removes the usual dependency on third-party gadgets, making reliable exploitation notably more achievable than typical POI bugs.

PHP WordPress Deserialization Newsletters
NVD WPScan
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-12511 HIGH POC PATCH This Week

Arbitrary file write in the AI Engine WordPress plugin before 3.5.5 lets authenticated editor-level users abuse an unsanitized, user-supplied filename during a file-download-and-save operation to plant attacker-controlled bytes anywhere the web server user can write via path traversal. Because writing a PHP payload into the webroot typically yields remote code execution, this crosses from a content-management flaw into full site compromise. Publicly available exploit code exists and a vendor patch has shipped, though the issue is not listed in CISA KEV.

Path Traversal WordPress Ai Engine
NVD WPScan
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-11567 MEDIUM POC PATCH This Month

SureForms WordPress plugin before 2.11.1 permits unauthenticated attackers to submit manipulated payment amounts below the configured price on any form using a dynamically-sourced or hidden variable payment field, enabling financial fraud against site operators. The integrity bypass is confined to forms with variable pricing; fixed-price forms are explicitly unaffected. A publicly available proof-of-concept exists via WPScan, and a vendor patch is available in version 2.11.1 - though no CISA KEV listing confirms active mass exploitation at time of analysis.

WordPress Information Disclosure Sureforms
NVD WPScan
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-11563 CRITICAL POC Act Now

Arbitrary file deletion in the Word Count and Social Shares WordPress plugin (versions through 1.0) lets any authenticated low-privilege user, including a Subscriber, delete any file the web server can reach because the plugin neither validates the supplied file path nor enforces authorization or CSRF protection. Deleting critical files such as wp-config.php can trigger WordPress's setup/installation flow and enable a full site takeover. Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as actively used, and the issue is not on the CISA KEV list.

PHP CSRF WordPress Word Count And Social Shares
NVD WPScan
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-15665 MEDIUM POC PATCH This Month

Stored cross-site scripting in the Ultimate Before After Image Slider & Gallery WordPress plugin (all versions before 4.7.1) enables users with administrator-level access to plant persistent malicious scripts via the BEAF Slider widget's shortcode field, which then execute silently in the browsers of any site visitor loading a page displaying the widget. The plugin pipes the field value through WordPress's native do_shortcode() function without sanitizing or escaping the output, causing unrecognized content to be echoed verbatim to the rendered page. A publicly available proof-of-concept has been disclosed by WPScan; no active exploitation has been confirmed in the CISA Known Exploited Vulnerabilities catalog.

WordPress Information Disclosure Ultimate Before After Image Slider Gallery
NVD WPScan
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-7640 MEDIUM This Month

Stored Cross-Site Scripting in WP Customer Area WordPress plugin (versions up to and including 8.3.5) allows authenticated attackers with Contributor-level access or above to persistently inject arbitrary JavaScript via the unsanitized 'type' attribute of the customer-area-protected-content shortcode. The injected payload executes in the browser of any user who visits the compromised page, enabling session hijacking, credential theft, or malicious redirects against site visitors. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis; however, the Contributor-level prerequisite is a low barrier in multi-author WordPress environments.

XSS WordPress Wp Customer Area
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-11390 MEDIUM This Month

Stored Cross-Site Scripting in the News Kit Addons For Elementor WordPress plugin (versions ≤1.4.6) permits authenticated contributors to persistently inject arbitrary JavaScript into pages via the Site Logo Title and Single Author Box widgets by manipulating the elementor_ajax AJAX save request to bypass client-side tag-name restrictions. Every user who subsequently visits an injected page executes the attacker's script in their browser, enabling session hijacking, credential theft, or admin-level actions on their behalf. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; a vendor-released patch is available in version 1.4.7.

XSS WordPress News Kit Addons For Elementor
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-11802 MEDIUM This Month

Unauthorized account self-registration in the FoodBook Lite WordPress plugin through version 1.5.6 allows unauthenticated remote attackers to create 'customer'-role accounts and obtain valid WordPress authentication cookies, even when the site administrator has explicitly disabled user registration. The flaw exists because the plugin's registration() function is registered on the publicly accessible wp_ajax_nopriv_registration_action AJAX hook and calls wp_insert_user() without performing nonce verification, capability checks, or consulting the users_can_register site option. No public exploit has been identified at time of analysis and no KEV listing exists; Wordfence reported the issue with a confirmed fix in version 1.5.7.

Authentication Bypass WordPress Foodbook Lite Online Food Ordering System
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-12385 MEDIUM This Month

Sensitive information exposure in the Smart Slider 3 WordPress plugin (all versions up to and including 3.5.1.37) allows authenticated Contributor-level users to extract titles and full content excerpts of private, draft, pending, trashed, and auto-draft posts belonging to any user on the site - including Administrators and Editors - via the unsecured 'keyword' Ajax parameter. The attack barrier is further lowered because the required nonce is automatically emitted on /wp-admin/post-new.php, a page accessible to any Contributor by default through the edit_posts capability, making nonce acquisition trivial. No public exploit code and no confirmed active exploitation (CISA KEV) have been identified at time of analysis.

PHP Information Disclosure WordPress Smart Slider 3
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12536 MEDIUM This Month

Stored Cross-Site Scripting in the Avada (Fusion) Builder WordPress plugin versions up to 3.15.5 allows authenticated contributors to inject persistent malicious scripts via the 'Module Title' parameter, executing in the browsers of any user who views the affected page. This grants attackers the ability to steal session tokens, perform unauthorized actions on behalf of victims, or redirect users to malicious sites. No public exploit or CISA KEV listing has been identified at time of analysis, though the Contributor-level entry bar makes this accessible to a broad attacker pool on sites with open registration.

XSS WordPress Avada Fusion Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-61958 MEDIUM This Month

Missing authorization in the License Manager for WooCommerce WordPress plugin (versions through 3.0.17) allows authenticated low-privilege users to perform arbitrary content deletion without proper permission checks. The flaw stems from CWE-862, where sensitive plugin actions are accessible to any authenticated user regardless of their assigned role. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis.

Authentication Bypass WordPress License Manager For Woocommerce
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-61952 MEDIUM This Month

Missing authorization in WooCommerce Bulk Edit Products - WP Sheet Editor (versions up to and including 1.8.21) permits authenticated high-privilege users to exploit incorrectly configured access control security levels, resulting in unauthorized bulk modification of WooCommerce product data. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to enforce proper capability checks before executing privileged bulk-edit operations via the network. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis, though the integrity-only impact and high-privilege requirement constrain the realistic attack surface.

Authentication Bypass WordPress Woocommerce Bulk Edit Products Wp Sheet Editor
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-57815 HIGH This Week

Arbitrary file download via path traversal in the Forminator WordPress plugin (WPMU DEV) affects all versions up to and including 1.55.0.2, letting remote unauthenticated attackers read files outside the intended directory (CVSS 7.5, confidentiality-only). The Patchstack reference characterizes this as an arbitrary file download flaw, meaning sensitive server files such as wp-config.php could be exfiltrated. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Path Traversal WordPress Forminator
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57814 HIGH This Week

DOM-based cross-site scripting in the WPMU DEV Forminator WordPress plugin (versions up to and including 1.55.0.1) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the victim interacts with a maliciously crafted link or page element. Reported by Patchstack and rated CVSS 7.1, the flaw carries a scope-changing impact but requires user interaction; no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS WordPress Forminator
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57810 HIGH This Week

Blind SQL injection in the APIExperts "Square for WooCommerce" (woosquare) WordPress plugin affects all versions up to and including 4.7.4, allowing an authenticated attacker to inject crafted SQL into a database query and infer or extract data via boolean/time-based blind techniques. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 8.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because the CVSS vector specifies PR:L, exploitation requires an existing low-privileged authenticated session rather than fully anonymous access.

SQLi WordPress Apiexperts Square For Woocommerce
NVD
CVSS 3.1
8.5
EPSS
0.4%
CVE-2026-57773 HIGH This Week

Blind SQL injection in the Zorem "Advanced Shipment Tracking for WooCommerce" WordPress plugin (all versions through 4.0) lets an authenticated high-privileged user inject SQL into a backend query and extract database contents inference by inference. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was disclosed via Patchstack. Because exploitation requires elevated WordPress privileges (CVSS PR:H), real-world risk is bounded to trusted-but-abusive or compromised admin/shop-manager accounts rather than anonymous internet attackers.

SQLi WordPress Advanced Shipment Tracking For Woocommerce
NVD
CVSS 3.1
7.6
EPSS
0.4%
CVE-2026-57709 HIGH This Week

Arbitrary file deletion in WP Swings' Membership For WooCommerce WordPress plugin (all versions up to and including 3.1.0) lets remote attackers delete files outside the intended directory via unsanitized path input. The CVSS vector (PR:N) indicates the flaw is reachable without authentication, and the scope-changed rating reflects that deletion of critical files (e.g., wp-config.php) can break or reset the entire WordPress site. No public exploit has been identified at time of analysis; the issue was reported by Patchstack.

Path Traversal WordPress Membership For Woocommerce
NVD
CVSS 3.1
8.6
EPSS
0.5%
CVE-2026-57698 MEDIUM This Month

Authentication bypass in VillaTheme's Abandoned Cart Recovery for WooCommerce (versions through 1.1.12) allows unauthenticated remote attackers to access protected functionality via an alternate authentication path or channel (CWE-288). The CVSS vector confirms network-reachable, zero-complexity exploitation requiring no privileges or user interaction, yielding partial confidentiality and integrity compromise. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and unauthenticated nature elevate practical risk for any WooCommerce store running this plugin.

Authentication Bypass WordPress Abandoned Cart Recovery For Woocommerce
NVD VulDB
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-57424 MEDIUM This Month

Missing authorization in Razorpay Payment Links for WooCommerce (versions through 2.1.4) allows unauthenticated network attackers to invoke privileged plugin actions without any authentication check. The flaw stems from CWE-862, where one or more AJAX endpoints or REST routes in the plugin fail to verify the caller's identity or capability before executing sensitive operations, resulting in low-severity integrity and availability impacts against WooCommerce payment link workflows. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass WordPress Razorpay Payment Links For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57422 HIGH This Week

Reflected cross-site scripting in the VillaTheme Bopo - WooCommerce Product Bundle Builder plugin for WordPress affects all versions up to and including 1.2.0, letting unauthenticated attackers inject script into a victim's browser session when the victim clicks a crafted link. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a scope change, meaning injected script executes in the WordPress site's security context and can target logged-in administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but reflected XSS in WooCommerce plugins is a well-understood and easily weaponized class.

XSS WordPress Bopo Woocommerce Product Bundle Builder
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57419 MEDIUM This Month

Stock Locations for WooCommerce plugin (versions through 3.1.8) exposes one or more privileged operations without performing authorization checks, allowing authenticated low-privileged WordPress users to manipulate stock location data they should have no rights to modify. Rooted in CWE-862 (Missing Authorization), the flaw means the plugin accepts and executes sensitive requests based solely on authentication rather than verifying the requester's WordPress capability level. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low-privilege access requirement and straightforward network exploitation path make it a realistic risk for any multi-location WooCommerce store running the affected plugin.

Authentication Bypass WordPress Stock Locations For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57414 MEDIUM This Month

Stored Cross-Site Scripting in QuantumCloud's WoowBot (ChatBot for eCommerce) WordPress plugin allows authenticated low-privileged users to inject persistent malicious scripts that execute in victims' browsers when stored content is rendered. Versions through 4.6.1 are affected, with a scope change confirmed by the CVSS vector (S:C), meaning attacker-controlled JavaScript runs in the context of other users - including administrators. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS WordPress Chatbot For Ecommerce 8211 Woowbot
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57409 HIGH This Week

DOM-based cross-site scripting affects the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (slug profit-products-tables-for-woocommerce) in all versions through 1.1.0, letting a remote attacker deliver crafted input that is unsafely written into the DOM and executed as script in a victim's browser. Because the CVSS scope is changed (S:C) and no authentication is required (PR:N), successful exploitation can affect resources beyond the vulnerable component, though it requires the victim to interact with an attacker-influenced page or link (UI:R). There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was supplied.

XSS WordPress Active Products Tables For Woocommerce
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57407 HIGH This Week

Server-Side Request Forgery in WP Swings' PDF Generator for WordPress plugin (all versions up to and including 1.6.2) lets remote attackers coerce the WordPress server into issuing attacker-controlled outbound requests, with a scope-changed impact reaching adjacent internal systems. Reported by Patchstack and tracked as CWE-918 with a CVSS 3.1 base score of 7.2, it currently has no public exploit identified at time of analysis and is not listed in CISA KEV. Because the scope is changed (S:C), successful abuse can pivot the server against internal metadata endpoints, intranet services, or cloud IMDS resources beyond the WordPress host itself.

WordPress SSRF Pdf Generator For Wordpress
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-57404 MEDIUM This Month

Missing authorization in the Booking and Rental Manager WordPress plugin (≤ 2.6.9) exposes unauthenticated remote attackers to broken access control, enabling unauthorized modification of booking data and partial disruption of plugin availability. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication or user interaction against any internet-facing WordPress/WooCommerce site running the affected plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes this straightforwardly exploitable once a target is identified.

Authentication Bypass WordPress Booking And Rental Manager
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57402 MEDIUM This Month

Stored cross-site scripting in the wpdesk Flexible Refund and Return Order for WooCommerce plugin (versions through 1.0.51) allows authenticated low-privileged users - such as registered WooCommerce customers - to inject persistent malicious scripts that execute in the browsers of other users, including administrators who review refund submissions. The scope-changed CVSS vector (S:C) confirms impact crosses security boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions against shop owners. No public exploit code has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.

XSS WordPress Flexible Refund And Return Order For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57400 MEDIUM This Month

Missing Authorization (CWE-862) in the Event Tickets Manager for WooCommerce WordPress plugin versions through 1.5.5 allows unauthenticated remote attackers to exploit incorrectly configured access control levels, resulting in limited but unauthorized modification of data and disruption of availability. The CVSS vector (PR:N/UI:N) confirms exploitation requires no authentication and no user interaction, lowering the barrier for abuse against any WordPress site with the plugin installed and active. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Event Tickets Manager For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57396 HIGH This Week

Stored cross-site scripting in the Flintop "Free Gifts for WooCommerce" WordPress plugin (all versions through 13.1.0) lets an attacker inject persistent JavaScript that executes in the browser of anyone viewing the affected page. Reported by Patchstack and tracked as CWE-79, it carries a CVSS 7.1 score driven by a changed scope (S:C), and has no public exploit identified at time of analysis. No CISA KEV listing or POC has been reported, so this is a disclosed-but-not-yet-weaponized web plugin flaw.

XSS WordPress Free Gifts For Woocommerce
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57393 MEDIUM This Month

Sensitive system information exposure in the WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) enables authenticated low-privilege users to retrieve embedded sensitive data via network requests. Classified under CWE-497, the flaw allows an attacker with minimal WordPress credentials - such as a customer or subscriber account - to access system-level or configuration data that should be restricted to administrative contexts. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the high confidentiality impact and low privilege requirement make it a meaningful risk for WooCommerce merchants running affected plugin versions.

Information Disclosure WordPress Woocommerce Pdf Invoice Builder
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-57390 MEDIUM This Month

Missing authorization in the Extra Product Options Builder for WooCommerce plugin (versions through 1.2.167) permits remote unauthenticated attackers to perform restricted actions without valid credentials, impacting both data integrity and service availability on affected WordPress storefronts. The flaw stems from CWE-862 - the plugin exposes endpoints or AJAX actions that fail to verify whether the caller holds the necessary capability or role before executing sensitive operations. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA KEV catalog.

Authentication Bypass WordPress Extra Product Options Builder For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-12582 HIGH POC PATCH This Week

The Library Management System WordPress plugin before 3.5.8 does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data from the database, including user password hashes.

WordPress SQLi Library Management System
NVD WPScan VulDB
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-12397 MEDIUM POC PATCH This Month

The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email for a given job, allowing authenticated users with a subscriber-level (self-registerable) account to read other employers' private account email addresses by enumerating job identifiers.

WordPress Information Disclosure Wp Job Portal
NVD WPScan VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-12396 MEDIUM POC PATCH This Month

Missing authorization in WP Job Portal WordPress plugin before 2.5.5 allows any self-registered subscriber to approve, feature, or reject arbitrary job listings owned by other users, bypassing both capability and ownership checks entirely. The subscriber role is self-registerable on most WordPress sites, meaning an unauthenticated attacker can trivially obtain the access level needed to exploit this flaw with no admin interaction required. A publicly available proof-of-concept exists; no CISA KEV listing indicates confirmed mass exploitation at time of analysis.

Information Disclosure WordPress Wp Job Portal
NVD WPScan VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-12275 HIGH POC PATCH This Week

Broken authorization in the Tutor LMS WordPress plugin (before 3.9.13) lets authenticated subscriber-level users bypass paid/private-course access controls when the Droip or Kirki page-builder integration is active. Because these integration handlers omit the enrollment, purchase, and private-course capability checks enforced in the core course handler, low-privileged accounts can self-enroll in paid or private courses, read otherwise-restricted content, and mark arbitrary courses complete. Reported by WPScan with publicly available exploit detail and a vendor patch released; no active exploitation is currently listed in CISA KEV.

WordPress Information Disclosure Tutor Lms
NVD WPScan
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-12274 MEDIUM POC PATCH This Month

Broken object-level authorization in the Tutor LMS WordPress plugin before 3.9.13 allows any authenticated instructor-level user to overwrite and take over arbitrary posts or pages sitewide, including administrator-owned content. The content-builder save handler validates the request against an unrelated identifier rather than confirming the requesting user owns or is permitted to edit the target post, making the authorization check entirely ineffective. A publicly available proof-of-concept exploit exists; no active exploitation has been confirmed by CISA KEV at time of analysis, though the low barrier (instructor account only) and high integrity impact elevate real-world risk significantly.

Information Disclosure WordPress Tutor Lms
NVD WPScan
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-12273 MEDIUM POC PATCH This Month

Tutor LMS WordPress plugin (all versions before 3.9.13) allows authenticated users with subscriber-level access to post auto-approved comments containing arbitrary HTML and external links on any site content, bypassing the comment moderation queue entirely. The vulnerable comment handler performs no authorization check and no post-target validation before creating comments, making this exploitable by any registered user on sites with open registration - a common LMS deployment pattern. A publicly available POC from WPScan exists; no CISA KEV listing indicates confirmed mass exploitation, but the low privilege bar and POC availability make this a realistic content-integrity threat.

Authentication Bypass WordPress Tutor Lms
NVD WPScan
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-12271 MEDIUM POC PATCH This Month

Missing ownership verification in Tutor LMS WordPress plugin before 3.9.13 allows any authenticated subscriber-level user to overwrite other students' quiz attempt records, including their scores and pass/fail status. The flaw is an insecure direct object reference (IDOR) pattern: the plugin writes to quiz attempts without confirming the requesting user owns that attempt. A public exploit exists per WPScan, meaning the technique is documented and reproducible; however, this CVE is not listed in the CISA KEV catalog, indicating no confirmed mass exploitation at time of analysis.

Information Disclosure WordPress Tutor Lms
NVD WPScan
CVSS 3.1
5.4
EPSS
0.1%
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (all versions through 4.4.14) allows authenticated shop managers to persist malicious scripts via the unsanitized 'row_type' parameter, executing in any user's browser upon visiting the compromised My Account page. The CVSS scope change (S:C) confirms cross-user impact - injected scripts run in victim sessions, enabling session hijacking or credential theft beyond the attacker's own context. No public exploit code or CISA KEV listing is confirmed at time of analysis; risk is substantially gated by the shop manager privilege requirement.

WordPress XSS Sysbasics Customize My Account For Woocommerce Live My Account Customizer
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the WPFunnels (Funnel Builder for WooCommerce) plugin for WordPress lets authenticated users holding the wpf_manage_funnels capability — typically the plugin's Funnel Manager custom role — rewrite the global wp_user_roles option and grant their own role full administrator capabilities. All versions up to and including 3.12.8 are affected, and Wordfence rates it CVSS 8.8 (High). No public exploit has been identified at time of analysis, but the root cause is trivial (an unvalidated option name reaching update_option()), making reliable weaponization straightforward for a low-privileged insider.

Privilege Escalation WordPress Wpfunnels Funnel Builder For Woocommerce With Checkout One Click Upsell
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL injection in the WP Bulk Delete WordPress plugin (all versions up to and including 1.4.2) allows authenticated attackers holding administrator-level privileges to append arbitrary SQL to existing queries via the delete_user_roles POST parameter, enabling full database read access. The root cause is a code-level stripping of WordPress's built-in magic-quotes protection: wp_unslash() is called on the raw POST body before parse_str() decomposes it, leaving attacker-controlled values fully unescaped when they reach the SQL sink in class-delete-api.php. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; real-world risk is bounded by the administrator authentication requirement.

SQLi WordPress Wp Bulk Delete
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the wpForo Forum WordPress plugin (all versions through 3.1.1) allows authenticated attackers with subscriber-level access to permanently inject malicious JavaScript via the 'location' profile field. The root failure is WordPress's native sanitize_text_field() function, which strips tags but leaves double quotes unencoded, enabling attribute breakout from an href context into injected event-handler attributes. With a CVSS scope change (S:C), successful exploitation can impact sessions of any user - including administrators - who views a poisoned profile page, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis.

WordPress XSS Wpforo Forum
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in the Loco Translate WordPress plugin (all versions up to and including 2.8.5) is reachable through a Cross-Site Request Forgery flaw in the execTemplate function, where missing nonce validation lets an unauthenticated attacker who tricks a logged-in administrator into clicking a crafted link supply a php://filter stream wrapper as the 'template' parameter, bypassing path validation and reaching a PHP include sink to execute arbitrary code. The chain converts a classic CSRF (CWE-352) into full server compromise, carrying CVSS 8.8 (C:H/I:H/A:H). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

CSRF PHP WordPress +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Digits WordPress Mobile Number Signup and Login plugin (all versions through 9.1.0.5) lets authenticated Subscriber-level users promote themselves to Administrator by submitting a forged digits_reg_userrole value during a profile update. The flaw stems from the dig_update_wpwc_custom_fields() function failing to validate the caller's authorization or the requested role. There is no public exploit identified at time of analysis, but the low barrier (any registered user on an affected site with the DIGITS User Role field configured) and full-administrator outcome make this a high-priority patching item.

Privilege Escalation WordPress Digits
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) allows authenticated contributors to inject persistent malicious scripts via the price_wrapper shortcode attribute, due to missing sanitization and output escaping in class.shortcodes.php. A compromised or malicious contributor account can plant the payload in any page or post, where it executes against visiting victims - but only those who carry the referenced ticket ID in their cart cookie, materially narrowing the realistic victim pool. No active exploitation has been confirmed in CISA KEV, and no EPSS data was provided in the intelligence feed.

WordPress XSS Tickera Sell Tickets Manage Events
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the WPBot AI ChatBot plugin for WordPress (all versions ≤ 8.5.6) permits any subscriber-level authenticated user to invoke the plugin's RAG document re-embedding functionality without authorization, directly modifying the rag_documents database table and triggering calls to the site owner's paid AI APIs (OpenAI, Gemini, OpenRouter, or xAI). The root cause is a missing capability check in class-qcld-bot-rag.php, confirmed by Wordfence and traceable to specific code paths in qcld-wpwbot.php. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS 4.3 Medium score reflects constrained direct security impact - though financial harm from API credit exhaustion represents the primary real-world risk.

Authentication Bypass WordPress Wpbot Ai Chatbot For Live Support Lead Generation Ai Services
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthorized deletion of chat session records in the WPBot WordPress plugin affects all versions through 8.5.6, allowing unauthenticated remote attackers to wipe arbitrary conversation history and user records by supplying a crafted userid parameter to unprotected endpoints. The root cause is a missing authorization check (CWE-862) in the chat sessions module, confirmed by Wordfence with source-level references to the vulnerable code in wpbot-chat-sessions.php. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS-assigned score of 5.3 Medium reflects the limited scope: data deletion with no confidentiality or availability impact on the service itself.

Authentication Bypass WordPress Wpbot Ai Chatbot For Live Support Lead Generation Ai Services
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Themify Builder WordPress plugin (all versions through 7.7.7) permits any authenticated subscriber-level user to overwrite or delete CSS stylesheet files for arbitrary posts - including private and draft posts owned by other users - and modify plugin-scoped font options site-wide. The CSRF nonce (tf_nonce) nominally required to gate these actions is broadcast to every authenticated user visiting any public front-end builder page via wp_localize_script, making it trivially collectible and rendering it ineffective as a security control. No active exploitation is confirmed (not in CISA KEV) and no public exploit has been identified at time of analysis.

Authentication Bypass CSRF WordPress +1
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL Injection in the WP TripAdvisor Review Slider WordPress plugin (all versions through 14.6) allows authenticated attackers holding administrator-level credentials to append arbitrary SQL to existing queries via the unsanitized 'filtersource' parameter, exposing sensitive data stored in the WordPress database. The flaw originates from insufficient escaping and missing prepared statement usage across multiple display and admin class files identified by Wordfence. No public exploit code or active exploitation has been identified at time of analysis, and the high privilege requirement significantly constrains real-world impact.

SQLi WordPress Wp Tripadvisor Review Slider
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Arbitrary file deletion in the Uncanny Automator WordPress plugin (all versions through 7.3.1.4) lets unauthenticated attackers delete any file on the server via untrusted PHP object deserialization in the fr_token function, and deleting a critical file such as wp-config.php can pivute WordPress into an installation/setup state that yields remote code execution. Exploitation is gated by a specific setup: a Forminator form must be connected to an Uncanny Automator recipe whose trigger is configured for 'Everyone', which is what exposes the deserialization sink to anonymous form submissions. A self-contained gadget chain via Action_Helpers_Email::__destruct() ships inside the plugin, so no external gadget library is needed; reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.

PHP RCE WordPress +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

{id} - complicates both detection and opportunistic exploitation, as the attacker cannot independently fire the injected SQL. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not provided.

SQLi WordPress Tutor Lms Elearning And Online Course Solution
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection in the Tickera - Sell Tickets & Manage Events WordPress plugin (all versions through 3.6.0.0) permits authenticated attackers holding a custom-level role or above to append arbitrary SQL to existing queries via the unsanitized 's' search parameter, enabling full database read access. The vulnerability originates in the better-attendees-and-tickets addon (index.php lines 50, 485, and 502) and is confirmed by Wordfence with source code evidence. No active exploitation is confirmed (no CISA KEV listing) and no public exploit has been identified at time of analysis, keeping real-world urgency moderate despite the High confidentiality impact.

SQLi WordPress Tickera Sell Tickets Manage Events
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Breakdance WordPress page-builder plugin (versions through 2.7.1) lets unauthenticated attackers inject persistent JavaScript through the 'fields' parameter, which then runs in the browser of any user who views the affected page. The flaw carries a CVSS 3.1 score of 7.2, elevated by a scope change (S:C) because the payload executes in visitors' browser sessions rather than the server context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; Wordfence discovered and reported it.

WordPress XSS Breakdance
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Second-order SQL injection in Quiz Master Next (QSM) for WordPress through version 11.2.0 allows authenticated attackers holding Author-level access to plant SQL payloads in quiz page data that execute whenever any user - including administrators - views the affected quiz's Questions tab. The root cause is a two-stage failure: the qsm_ajax_save_pages() AJAX handler sanitizes user-supplied 'pages' values only with sanitize_text_field() (which strips HTML/PHP tags but does not escape SQL-special characters), then qsm_options_questions_tab_content() at line 143 reconstructs those stored values into an IN() clause via implode() with no $wpdb->prepare() call and no integer casting. No public exploit code has been identified at time of analysis; however, the split-phase attack pattern - where payload planting and execution are decoupled - commonly evades first-order WAF detection and standard code scanning, elevating practical risk beyond the 6.5 CVSS score alone.

SQLi WordPress Quiz And Survey Master Qsm Quiz Maker Survey Maker
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in The Cache Purger WordPress plugin (all versions through 2.3.20) allows any subscriber-level authenticated user to permanently destroy the plugin's entire cache-purge audit log (wp-content/purge.log). The root cause is that the tcp_log_purge nonce - the only credential required to trigger log deletion - is rendered in the WordPress admin bar on frontend pages visible to all authenticated users, including the lowest-privilege subscribers, making the authorization check trivially bypassable. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress The Cache Purger
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the WP Delicious (formerly Delicious Recipes) WordPress plugin versions up to and including 1.10.2 allows authenticated Contributor-level users to inject arbitrary JavaScript via unsanitized `javascript:` URIs embedded in recipe step link attributes. The `wrap_direction_text()` function interpolates attacker-controlled `href` values directly into anchor tags using `sprintf()` without invoking WordPress's `esc_url()`, enabling payload execution in the browser of any privileged user who clicks the poisoned link while previewing or viewing the affected recipe post. No CISA KEV listing or public exploit code has been identified at time of analysis, though Wordfence's source-level disclosure provides sufficient detail for independent reproduction.

WordPress XSS Wp Delicious Recipe Plugin For Food Bloggers Formerly Delicious Recipes
NVD
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Path traversal in FunnelKit WordPress plugin before 3.15.0.6 enables authenticated administrators to delete arbitrary .json files outside the plugin's intended directory during template-import operations. The root cause is CWE-73 (External Control of File Name or Path): the deletion handler accepts user-supplied paths without canonicalization or boundary enforcement. Leveraging CVSS scope change (S:C), a malicious admin can target configuration files belonging to other installed plugins, causing cascading denial-of-service across the WordPress installation. A publicly available exploit exists; the vulnerability is not in the CISA KEV catalog at time of analysis.

Path Traversal Denial Of Service WordPress +1
NVD WPScan
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Reflected Cross-Site Scripting in the FunnelKit WordPress plugin before 3.15.0.6 lets unauthenticated attackers inject arbitrary JavaScript into a page-builder AJAX response, which executes in the browser of a logged-in user who opens an attacker-crafted link. The flaw is only reachable when the Divi builder integration is active, and publicly available exploit code exists though there is no public exploit identified as actively exploited at time of analysis. EPSS was not provided and the vulnerability is not on CISA KEV, so widespread exploitation is unconfirmed.

WordPress XSS Funnelkit
NVD WPScan
EPSS 0%
POC PATCH This Week

The RTMKit WordPress plugin before 2.0.9 does not perform a proper capability check on one of its -builder AJAX actions, allowing users with at least the Author role to create and activate a site-wide template that overrides the header, footer or other global areas displayed to all visitors, which is normally restricted to administrators.

WordPress Information Disclosure Rtmkit
NVD WPScan
EPSS 0%
POC PATCH This Week

The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other users' private, draft, pending, scheduled and trashed posts.

WordPress Information Disclosure Rtmkit
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Stored cross-site scripting in the Header Footer Builder for Elementor WordPress plugin before 1.2.1 permits any Contributor-level user to inject persistent JavaScript into every page of the affected site by importing a crafted template through the plugin's dashboard action, which incorrectly requires only edit_posts capability rather than administrator access. Once the malicious Elementor HTML widget is imported with site-wide display scope, the payload executes in the browser of every visitor and administrator who loads the site - enabling session hijacking, credential theft, or admin account takeover. A publicly available exploit exists per WPScan (EUVD-2026-44878); no CISA KEV listing at time of analysis.

WordPress XSS Header Footer Builder For Elementor
NVD WPScan
EPSS 0%
POC PATCH This Week

The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files (bounded to an image and video allowlist) to the Media Library and create attachment posts, leading to media library pollution and disk space exhaustion.

WordPress Information Disclosure Customer Reviews For Woocommerce
NVD WPScan
EPSS 0%
POC PATCH This Week

The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is enabled.

WordPress Information Disclosure Abandoned Cart Lite For Woocommerce
NVD WPScan
EPSS 0%
POC PATCH This Week

The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields, allowing users with at least the Subscriber role to escalate their privileges to Administrator by submitting a crafted value while updating their own profile, on sites where the Redux Framework WordPress plugin before 4.5.13's user-profile (Users extension) feature is enabled.

Privilege Escalation WordPress Redux Framework
NVD WPScan
EPSS 0%
POC PATCH This Week

The AI Engine WordPress plugin before 3.5.5 does not verify that a user owns the chatbot conversation referenced by a client-supplied identifier, allowing users with subscriber-level access to read other users' private conversations and take over their conversation records when the discussions feature is enabled.

WordPress Information Disclosure Ai Engine
NVD WPScan
EPSS 0%
POC PATCH This Week

The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well as to create new accounts.

WordPress Information Disclosure Happy Coders Otp Login For Woocommerce
NVD WPScan
EPSS 0%
POC PATCH This Week

The WP Job Portal WordPress plugin before 2.5.5 does not properly sanitize and escape a parameter before using it in a SQL query, allowing authenticated users with a subscriber-level (self-registerable) account to perform SQL injection attacks.

SQLi WordPress Wp Job Portal
NVD WPScan
EPSS 0%
POC PATCH This Week

The Appointment Booking Plugin WordPress plugin before 5.6.3 does not validate a CSRF nonce on several state-changing actions handled by its central request dispatcher, allowing attackers to perform privileged actions, such as overwriting the booking-form configuration or disconnecting the connected payment gateway, via Cross-Site Request Forgery against a logged-in administrator.

CSRF WordPress Appointment Booking Plugin
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Stored cross-site scripting via prompt injection in the BetterDocs WordPress plugin (versions 4.0.0 through 4.5.5) allows unauthenticated attackers to permanently implant malicious JavaScript into documentation pages by manipulating the plugin's AI-generated summary feature. Because the AI output is stored unsanitized and the generation endpoint requires no authentication, an attacker can craft adversarial prompts that cause the AI to produce and persist executable script payloads - payloads that then fire in the browser of every subsequent visitor, including WordPress administrators. A publicly available exploit exists via WPScan; no active exploitation confirmed in CISA KEV at time of analysis.

WordPress XSS Betterdocs
NVD WPScan
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL Injection in the SEO Booster WordPress plugin (versions up to and including 7.3.1) enables authenticated administrators to append arbitrary SQL to existing queries via the unsanitized 'sort_field' parameter, exposing sensitive database contents. The vulnerability resides in seo-booster.php (lines 389, 404, 406) where user-supplied sort input is neither escaped nor parameterized before being incorporated into SQL execution. Despite a high confidentiality impact, exploitation is gated behind WordPress administrator-level credentials (PR:H), substantially limiting the realistic attack surface. No public exploit identified at time of analysis; a WordPress Trac changeset (3606177) suggests a patch has been committed.

SQLi WordPress Seo Booster
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in the miniOrange SAML Single Sign On - SSO Login plugin for WordPress (all versions through 5.4.3) lets unauthenticated attackers forge SAML assertions and seize any account, including administrator. The plugin trusts the SignatureMethod algorithm declared inside the attacker-supplied SAMLResponse, enabling an RSA-to-HMAC signature confusion attack that yields valid WordPress auth cookies and full admin takeover. Reported by Wordfence; no public exploit identified at time of analysis, but the flaw is trivially exploitable and carries a 9.8 CVSS.

Authentication Bypass WordPress Jwt Attack +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the RPB Chessboard WordPress plugin (all versions through 8.1.2) lets unauthenticated attackers plant persistent JavaScript through comment content that executes in the browser of anyone who later views the affected page. The novel aspect, per Wordfence, is that WordPress's normal save-time kses sanitization is bypassed because the payload uses only kses-allowed tags/attributes (an <a> element with title and href) and the dangerous attribute-breaking markup is assembled entirely at render time by the plugin's own comment_text filter. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, no-interaction entry point makes it a practical drive-by injection risk.

WordPress XSS Rpb Chessboard
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Time-based SQL injection in the SEO Booster WordPress plugin (versions up to and including 7.3.1) allows authenticated administrators to extract sensitive database contents by manipulating the unquoted 'orderby' parameter in the Google Search Console list table component. The root cause is that developer-applied sanitization functions esc_sql() and sanitize_text_field() fail to neutralize SQL keywords, subquery syntax, commas, or parentheses when used in an ORDER BY clause context, leaving the clause fully attacker-controlled. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS score data was not provided.

SQLi WordPress Seo Booster
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the Product Feed Manager For WooCommerce WordPress plugin (all versions through 7.6.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unescaped 's' search parameter, which executes in a victim's browser upon interaction with a crafted link. The vulnerability is rooted in insufficient sanitization and output escaping within the plugin's admin-facing PHP classes, as confirmed by Wordfence with direct source code references to class-rex-product-feed-actions.php and class-rex-product-feed.php. No public exploit code has been identified at time of analysis, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog.

WordPress XSS Product Feed Manager For Woocommerce Sell On 200 Online Marketplaces
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Easy Accordion - AI-Powered FAQ & Accordion Blocks, Product FAQ plugin (all versions ≤ 3.1.6) enables authenticated attackers holding contributor-level WordPress roles to inject persistent JavaScript payloads via the unsanitized 'align' block attribute. The injected script executes in the browser of any user - including administrators - who views the affected page, making session hijacking and privilege escalation realistic follow-on impacts. No public exploit code or CISA KEV listing has been identified at time of analysis, but Wordfence source code references pinpoint the exact vulnerable lines, substantially lowering the barrier to exploitation.

WordPress XSS Easy Accordion Ai Powered Faq Accordion Blocks Product Faq
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in MultiVendorX (WooCommerce Multivendor Marketplace) plugin versions up to and including 5.0.9 allows any authenticated WordPress user to extract sensitive data from the database via the unparameterized 'order_by' argument in the transactions REST endpoint. Critically, the default plugin configuration automatically approves store owner registrations, meaning any subscriber-level WordPress account holder can self-elevate to store_owner role via the public Stores REST endpoint, then immediately exploit the injection - effectively lowering the real-world privilege bar to any authenticated user. No public exploit code or CISA KEV listing has been identified at time of analysis, but the default-on privilege escalation path substantially raises exploitability beyond the PR:L CVSS score suggests.

SQLi WordPress Multivendorx Woocommerce Multivendor Marketplace Ai Powered Solutions
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in GiveWP's Sequoia donation template allows authenticated attackers with give worker-level access to inject persistent JavaScript payloads via the 'twitter_message' template setting, affecting all WordPress installations running plugin versions through 4.16.3. The injected payload is not sanitized before being embedded inside a JavaScript template literal in the Sequoia confirmation view's social-sharing component, and executes in the donor's browser specifically when they click the 'Share on Twitter' button after completing a donation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the Wordfence disclosure includes direct source code references confirming the unsanitized evaluation path.

WordPress XSS Givewp Donation Plugin And Fundraising Platform
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery in the Landing Page Builder - Coming Soon Page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin (all versions up to and including 1.5.3.6) allows unauthenticated remote attackers to manipulate arbitrary WordPress posts by sending a forged AJAX request that inherits an authenticated editor or administrator's browser session. Missing nonce validation on the ulpb_admin_ajax function means a victim who clicks a crafted link while logged in unknowingly authorizes post creation, modification of titles, slugs, types, status, and injection of ULPB_DATA post meta. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified; EPSS data was not provided in available intelligence.

CSRF WordPress Landing Page Builder Coming Soon Page Maintenance Mode Lead Page Wordpress Landing Pages
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in ThemeHunk's Advance Product Search - Voice & Ajax Search for WooCommerce plugin (all versions ≤ 1.4.4) lets unauthenticated attackers inject arbitrary SQL through the 's' and 'match' search parameters, enabling extraction of sensitive database contents such as user credentials and order data. The flaw stems from unescaped, unprepared query construction in the plugin's AJAX search backend and is remotely exploitable without authentication or user interaction. Reported by Wordfence; no public exploit identified at time of analysis and not listed in CISA KEV.

SQLi WordPress Advance Product Search Voice Ajax Search For Woocommerce
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Sensitive information exposure in the List Category Posts WordPress plugin (all versions through 0.95.0) allows authenticated contributors to read non-public posts belonging to other users - including pending-review, scheduled, and trashed content with full body text, excerpts, authors, and custom-field metadata. Exploitation requires only a contributor-level account and the ability to embed the native [catlist] shortcode in a draft post, then preview it, triggering the flawed sanitize_status logic. This is a confirmed bypass of the incomplete authorization fix shipped in version 0.93.0 for CVE-2025-11377, indicating the root authorization flaw was never fully remediated. No public exploit code or CISA KEV listing is identified at time of analysis.

Authentication Bypass WordPress Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in the Catch Themes Demo Import WordPress plugin (versions up to and including 3.3) allows any subscriber-level authenticated user to force-install a hardcoded third-party plugin onto the target WordPress site. The vulnerability exists because catch_themes_demo_import_activate_plugin(), hooked on admin_init, invokes Plugin_Upgrader::install() to fetch and install 'essential-content-types' from WordPress.org before performing the current_user_can('activate_plugins') capability check - a classic authorization-check inversion. No public exploit code has been identified at time of analysis, and the constrained impact (only one hardcoded plugin can be installed, not arbitrary ones) meaningfully limits real-world severity despite the low authentication requirement.

Authentication Bypass WordPress Catch Themes Demo Import
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the MxChat AI Chatbot & Content Generation WordPress plugin (versions up to and including 3.2.10) enables authenticated administrators to persist malicious scripts through admin settings panels. Exploitation is constrained to WordPress multi-site environments or single-site installs where the unfiltered_html capability has been explicitly disabled, narrowing the realistic attack surface significantly. No public exploit code or active exploitation (CISA KEV) has been identified; CVSS 4.4 Medium reflects the restricted conditions and high privilege requirement.

WordPress XSS Mxchat Ai Chatbot Content Generation For Wordpress
NVD VulDB
MEDIUM PATCH This Month

Pixeldrain API key exfiltration in cyberdrop-dl-patched (versions 8.5.0 through 9.13.x) allows a network attacker who controls a lookalike domain (e.g., evil-pixeldrain.com) to receive the victim's Pixeldrain Authorization header when the tool processes a crafted URL. The root cause is substring-based host matching: any domain containing 'pixeldrain' as a substring is accepted as a valid Pixeldrain host, causing the tool to blindly send API credentials to attacker-controlled infrastructure. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the attack path is straightforward and fully described in the advisory.

WordPress Information Disclosure
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file disclosure in the Gravity Forms WordPress plugin (all versions through 2.10.4) lets unauthenticated attackers read sensitive files from the web server by abusing the 'gform_uploaded_files' parameter against the process_send_resume_link endpoint. Reported by Wordfence, the flaw carries CVSS 7.5 and is exfiltrated by directing the traversal-retrieved file to an attacker-controlled email as a form notification attachment. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Path Traversal WordPress Gravity Forms
NVD
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

UNION-based SQL injection in the Quotes Llama WordPress plugin (all versions before 3.1.6) lets unauthenticated remote attackers inject arbitrary SQL through an unsanitized request parameter and read any data from the WordPress database, including user password hashes. Publicly available exploit code exists and a vendor patch has been released; the flaw carries a high EPSS-relevant profile because it is remotely reachable with no authentication or user interaction. This is no public exploit identified as actively exploited (not in CISA KEV), but working PoC availability makes opportunistic mass-scanning likely.

SQLi WordPress Quotes Llama
NVD WPScan VulDB
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Authentication bypass in the Shibboleth WordPress plugin before 2.5.4 lets remote unauthenticated attackers forge identity headers and log in when the HTTP header identity mode is enabled without an anti-spoofing key. Because the plugin fails open rather than closed, any request carrying identity headers is trusted as an authenticated session, and with automatic account creation plus the default administrator role mapping an attacker can provision and sign in as a brand-new administrator. Rated CVSS 8.1 (CWE-287); publicly available exploit code exists (WPScan), but it is not listed in CISA KEV.

Authentication Bypass WordPress Shibboleth
NVD WPScan VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before version 2.4.17 allows any authenticated Contributor-level (or higher) user to duplicate arbitrary posts they do not own by exploiting a missing per-object authorization check in the plugin's AJAX post-duplication action. The attacker gains a published copy of the target post under their own ownership and can extract private post metadata, including secrets stored by other Kali Forms instances on the same site. A publicly available proof-of-concept exists per WPScan; the vulnerability is not currently listed in the CISA KEV catalog, though the low privilege bar and default-enabled feature make it an actionable risk on any multi-user WordPress installation running the affected plugin.

Authentication Bypass WordPress Kali Forms Contact Form Drag And Drop Builder
NVD WPScan VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Unauthenticated file upload to the WordPress Media Library is possible in Kali Forms - Contact Form & Drag-and-Drop Builder versions before 2.4.17, because the plugin's upload handler accepts file submissions without verifying that a corresponding form with a file-upload field actually exists on the site. Any unauthenticated remote attacker can directly invoke the upload endpoint and deposit files into the Media Library. Impact is bounded by WordPress's core MIME type allowlist, which prevents upload of executable files and thereby rules out code execution; a publicly available proof-of-concept is confirmed by WPScan, and no CISA KEV listing is present at time of analysis.

File Upload RCE WordPress +1
NVD WPScan VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Arbitrary file upload in the Podlove Podcast Publisher WordPress plugin (all versions through 4.5.1) allows remote attackers to place attacker-controlled files on the server via the image caching path, potentially escalating to remote code execution. The root cause is incomplete file-type validation in the plugin's image cache handling, where a cached file's extension was trusted rather than re-derived from the actual validated image type. Reported by Wordfence and fixed upstream; no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

RCE WordPress Podlove Podcast Publisher
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the Academy LMS WordPress plugin (all versions through 3.8.0) allows authenticated attackers with Subscriber-level access to read, overwrite, or delete the private lesson notes of any user - including administrators - and to falsify lesson-completion records for arbitrary accounts. Three AJAX handlers (save_lesson_note, get_lesson_note, complete_lesson_video) perform no ownership validation on a user-controlled key, making cross-user data manipulation trivially achievable by any registered site user. No public exploit identified at time of analysis, but the attack surface is fully described via Wordfence's public threat-intelligence entry and source-level code references.

Authentication Bypass WordPress Academy Lms
NVD
EPSS 0% CVSS 6.4
MEDIUM POC PATCH This Month

Account takeover in the WP 2FA WordPress plugin (all versions before 3.1.1.2) is achievable by any attacker who has obtained a valid user's credentials. The plugin fails to verify that the email address submitted during two-factor authentication enrollment belongs to the authenticated account (CWE-862: Missing Authorization), allowing the attacker to redirect the setup verification code to an attacker-controlled inbox and complete 2FA enrollment on behalf of the victim. A publicly available proof-of-concept exists per WPScan; this vulnerability is not currently listed in the CISA KEV catalog, but the combination of a PoC, medium-prevalence deployment, and account-takeover impact warrants prompt patching.

Authentication Bypass WordPress Wp 2Fa
NVD WPScan
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Unauthenticated PHP object injection in the Newsletters WordPress plugin before 4.15 lets remote attackers deserialize attacker-controlled data submitted through a public-facing form, then leverage a property-oriented gadget chain bundled inside the plugin itself to write arbitrary files and achieve remote code execution on the host. Publicly available exploit code exists (published via WPScan), though there is no public exploit identified as being used in active attacks and the flaw is not listed in CISA KEV. The self-contained gadget chain removes the usual dependency on third-party gadgets, making reliable exploitation notably more achievable than typical POI bugs.

PHP WordPress Deserialization +1
NVD WPScan
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Arbitrary file write in the AI Engine WordPress plugin before 3.5.5 lets authenticated editor-level users abuse an unsanitized, user-supplied filename during a file-download-and-save operation to plant attacker-controlled bytes anywhere the web server user can write via path traversal. Because writing a PHP payload into the webroot typically yields remote code execution, this crosses from a content-management flaw into full site compromise. Publicly available exploit code exists and a vendor patch has shipped, though the issue is not listed in CISA KEV.

Path Traversal WordPress Ai Engine
NVD WPScan
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

SureForms WordPress plugin before 2.11.1 permits unauthenticated attackers to submit manipulated payment amounts below the configured price on any form using a dynamically-sourced or hidden variable payment field, enabling financial fraud against site operators. The integrity bypass is confined to forms with variable pricing; fixed-price forms are explicitly unaffected. A publicly available proof-of-concept exists via WPScan, and a vendor patch is available in version 2.11.1 - though no CISA KEV listing confirms active mass exploitation at time of analysis.

WordPress Information Disclosure Sureforms
NVD WPScan
EPSS 0% CVSS 9.6
CRITICAL POC Act Now

Arbitrary file deletion in the Word Count and Social Shares WordPress plugin (versions through 1.0) lets any authenticated low-privilege user, including a Subscriber, delete any file the web server can reach because the plugin neither validates the supplied file path nor enforces authorization or CSRF protection. Deleting critical files such as wp-config.php can trigger WordPress's setup/installation flow and enable a full site takeover. Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as actively used, and the issue is not on the CISA KEV list.

PHP CSRF WordPress +1
NVD WPScan
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Stored cross-site scripting in the Ultimate Before After Image Slider & Gallery WordPress plugin (all versions before 4.7.1) enables users with administrator-level access to plant persistent malicious scripts via the BEAF Slider widget's shortcode field, which then execute silently in the browsers of any site visitor loading a page displaying the widget. The plugin pipes the field value through WordPress's native do_shortcode() function without sanitizing or escaping the output, causing unrecognized content to be echoed verbatim to the rendered page. A publicly available proof-of-concept has been disclosed by WPScan; no active exploitation has been confirmed in the CISA Known Exploited Vulnerabilities catalog.

WordPress Information Disclosure Ultimate Before After Image Slider Gallery
NVD WPScan
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in WP Customer Area WordPress plugin (versions up to and including 8.3.5) allows authenticated attackers with Contributor-level access or above to persistently inject arbitrary JavaScript via the unsanitized 'type' attribute of the customer-area-protected-content shortcode. The injected payload executes in the browser of any user who visits the compromised page, enabling session hijacking, credential theft, or malicious redirects against site visitors. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis; however, the Contributor-level prerequisite is a low barrier in multi-author WordPress environments.

XSS WordPress Wp Customer Area
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the News Kit Addons For Elementor WordPress plugin (versions ≤1.4.6) permits authenticated contributors to persistently inject arbitrary JavaScript into pages via the Site Logo Title and Single Author Box widgets by manipulating the elementor_ajax AJAX save request to bypass client-side tag-name restrictions. Every user who subsequently visits an injected page executes the attacker's script in their browser, enabling session hijacking, credential theft, or admin-level actions on their behalf. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; a vendor-released patch is available in version 1.4.7.

XSS WordPress News Kit Addons For Elementor
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthorized account self-registration in the FoodBook Lite WordPress plugin through version 1.5.6 allows unauthenticated remote attackers to create 'customer'-role accounts and obtain valid WordPress authentication cookies, even when the site administrator has explicitly disabled user registration. The flaw exists because the plugin's registration() function is registered on the publicly accessible wp_ajax_nopriv_registration_action AJAX hook and calls wp_insert_user() without performing nonce verification, capability checks, or consulting the users_can_register site option. No public exploit has been identified at time of analysis and no KEV listing exists; Wordfence reported the issue with a confirmed fix in version 1.5.7.

Authentication Bypass WordPress Foodbook Lite Online Food Ordering System
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Sensitive information exposure in the Smart Slider 3 WordPress plugin (all versions up to and including 3.5.1.37) allows authenticated Contributor-level users to extract titles and full content excerpts of private, draft, pending, trashed, and auto-draft posts belonging to any user on the site - including Administrators and Editors - via the unsecured 'keyword' Ajax parameter. The attack barrier is further lowered because the required nonce is automatically emitted on /wp-admin/post-new.php, a page accessible to any Contributor by default through the edit_posts capability, making nonce acquisition trivial. No public exploit code and no confirmed active exploitation (CISA KEV) have been identified at time of analysis.

PHP Information Disclosure WordPress +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Avada (Fusion) Builder WordPress plugin versions up to 3.15.5 allows authenticated contributors to inject persistent malicious scripts via the 'Module Title' parameter, executing in the browsers of any user who views the affected page. This grants attackers the ability to steal session tokens, perform unauthorized actions on behalf of victims, or redirect users to malicious sites. No public exploit or CISA KEV listing has been identified at time of analysis, though the Contributor-level entry bar makes this accessible to a broad attacker pool on sites with open registration.

XSS WordPress Avada Fusion Builder
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Missing authorization in the License Manager for WooCommerce WordPress plugin (versions through 3.0.17) allows authenticated low-privilege users to perform arbitrary content deletion without proper permission checks. The flaw stems from CWE-862, where sensitive plugin actions are accessible to any authenticated user regardless of their assigned role. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis.

Authentication Bypass WordPress License Manager For Woocommerce
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Missing authorization in WooCommerce Bulk Edit Products - WP Sheet Editor (versions up to and including 1.8.21) permits authenticated high-privilege users to exploit incorrectly configured access control security levels, resulting in unauthorized bulk modification of WooCommerce product data. The vulnerability stems from CWE-862 (Missing Authorization), where the plugin fails to enforce proper capability checks before executing privileged bulk-edit operations via the network. No public exploit code exists and this CVE is not listed in the CISA KEV catalog at time of analysis, though the integrity-only impact and high-privilege requirement constrain the realistic attack surface.

Authentication Bypass WordPress Woocommerce Bulk Edit Products Wp Sheet Editor
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file download via path traversal in the Forminator WordPress plugin (WPMU DEV) affects all versions up to and including 1.55.0.2, letting remote unauthenticated attackers read files outside the intended directory (CVSS 7.5, confidentiality-only). The Patchstack reference characterizes this as an arbitrary file download flaw, meaning sensitive server files such as wp-config.php could be exfiltrated. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Path Traversal WordPress Forminator
NVD
EPSS 0% CVSS 7.1
HIGH This Week

DOM-based cross-site scripting in the WPMU DEV Forminator WordPress plugin (versions up to and including 1.55.0.1) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the victim interacts with a maliciously crafted link or page element. Reported by Patchstack and rated CVSS 7.1, the flaw carries a scope-changing impact but requires user interaction; no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS WordPress Forminator
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Blind SQL injection in the APIExperts "Square for WooCommerce" (woosquare) WordPress plugin affects all versions up to and including 4.7.4, allowing an authenticated attacker to inject crafted SQL into a database query and infer or extract data via boolean/time-based blind techniques. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 8.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because the CVSS vector specifies PR:L, exploitation requires an existing low-privileged authenticated session rather than fully anonymous access.

SQLi WordPress Apiexperts Square For Woocommerce
NVD
EPSS 0% CVSS 7.6
HIGH This Week

Blind SQL injection in the Zorem "Advanced Shipment Tracking for WooCommerce" WordPress plugin (all versions through 4.0) lets an authenticated high-privileged user inject SQL into a backend query and extract database contents inference by inference. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was disclosed via Patchstack. Because exploitation requires elevated WordPress privileges (CVSS PR:H), real-world risk is bounded to trusted-but-abusive or compromised admin/shop-manager accounts rather than anonymous internet attackers.

SQLi WordPress Advanced Shipment Tracking For Woocommerce
NVD
EPSS 1% CVSS 8.6
HIGH This Week

Arbitrary file deletion in WP Swings' Membership For WooCommerce WordPress plugin (all versions up to and including 3.1.0) lets remote attackers delete files outside the intended directory via unsanitized path input. The CVSS vector (PR:N) indicates the flaw is reachable without authentication, and the scope-changed rating reflects that deletion of critical files (e.g., wp-config.php) can break or reset the entire WordPress site. No public exploit has been identified at time of analysis; the issue was reported by Patchstack.

Path Traversal WordPress Membership For Woocommerce
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Authentication bypass in VillaTheme's Abandoned Cart Recovery for WooCommerce (versions through 1.1.12) allows unauthenticated remote attackers to access protected functionality via an alternate authentication path or channel (CWE-288). The CVSS vector confirms network-reachable, zero-complexity exploitation requiring no privileges or user interaction, yielding partial confidentiality and integrity compromise. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and unauthenticated nature elevate practical risk for any WooCommerce store running this plugin.

Authentication Bypass WordPress Abandoned Cart Recovery For Woocommerce
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization in Razorpay Payment Links for WooCommerce (versions through 2.1.4) allows unauthenticated network attackers to invoke privileged plugin actions without any authentication check. The flaw stems from CWE-862, where one or more AJAX endpoints or REST routes in the plugin fail to verify the caller's identity or capability before executing sensitive operations, resulting in low-severity integrity and availability impacts against WooCommerce payment link workflows. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass WordPress Razorpay Payment Links For Woocommerce
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the VillaTheme Bopo - WooCommerce Product Bundle Builder plugin for WordPress affects all versions up to and including 1.2.0, letting unauthenticated attackers inject script into a victim's browser session when the victim clicks a crafted link. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a scope change, meaning injected script executes in the WordPress site's security context and can target logged-in administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but reflected XSS in WooCommerce plugins is a well-understood and easily weaponized class.

XSS WordPress Bopo Woocommerce Product Bundle Builder
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stock Locations for WooCommerce plugin (versions through 3.1.8) exposes one or more privileged operations without performing authorization checks, allowing authenticated low-privileged WordPress users to manipulate stock location data they should have no rights to modify. Rooted in CWE-862 (Missing Authorization), the flaw means the plugin accepts and executes sensitive requests based solely on authentication rather than verifying the requester's WordPress capability level. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low-privilege access requirement and straightforward network exploitation path make it a realistic risk for any multi-location WooCommerce store running the affected plugin.

Authentication Bypass WordPress Stock Locations For Woocommerce
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in QuantumCloud's WoowBot (ChatBot for eCommerce) WordPress plugin allows authenticated low-privileged users to inject persistent malicious scripts that execute in victims' browsers when stored content is rendered. Versions through 4.6.1 are affected, with a scope change confirmed by the CVSS vector (S:C), meaning attacker-controlled JavaScript runs in the context of other users - including administrators. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS WordPress Chatbot For Ecommerce 8211 Woowbot
NVD
EPSS 0% CVSS 7.1
HIGH This Week

DOM-based cross-site scripting affects the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (slug profit-products-tables-for-woocommerce) in all versions through 1.1.0, letting a remote attacker deliver crafted input that is unsafely written into the DOM and executed as script in a victim's browser. Because the CVSS scope is changed (S:C) and no authentication is required (PR:N), successful exploitation can affect resources beyond the vulnerable component, though it requires the victim to interact with an attacker-influenced page or link (UI:R). There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was supplied.

XSS WordPress Active Products Tables For Woocommerce
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Server-Side Request Forgery in WP Swings' PDF Generator for WordPress plugin (all versions up to and including 1.6.2) lets remote attackers coerce the WordPress server into issuing attacker-controlled outbound requests, with a scope-changed impact reaching adjacent internal systems. Reported by Patchstack and tracked as CWE-918 with a CVSS 3.1 base score of 7.2, it currently has no public exploit identified at time of analysis and is not listed in CISA KEV. Because the scope is changed (S:C), successful abuse can pivot the server against internal metadata endpoints, intranet services, or cloud IMDS resources beyond the WordPress host itself.

WordPress SSRF Pdf Generator For Wordpress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization in the Booking and Rental Manager WordPress plugin (≤ 2.6.9) exposes unauthenticated remote attackers to broken access control, enabling unauthorized modification of booking data and partial disruption of plugin availability. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication or user interaction against any internet-facing WordPress/WooCommerce site running the affected plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes this straightforwardly exploitable once a target is identified.

Authentication Bypass WordPress Booking And Rental Manager
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting in the wpdesk Flexible Refund and Return Order for WooCommerce plugin (versions through 1.0.51) allows authenticated low-privileged users - such as registered WooCommerce customers - to inject persistent malicious scripts that execute in the browsers of other users, including administrators who review refund submissions. The scope-changed CVSS vector (S:C) confirms impact crosses security boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions against shop owners. No public exploit code has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.

XSS WordPress Flexible Refund And Return Order For Woocommerce
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing Authorization (CWE-862) in the Event Tickets Manager for WooCommerce WordPress plugin versions through 1.5.5 allows unauthenticated remote attackers to exploit incorrectly configured access control levels, resulting in limited but unauthorized modification of data and disruption of availability. The CVSS vector (PR:N/UI:N) confirms exploitation requires no authentication and no user interaction, lowering the barrier for abuse against any WordPress site with the plugin installed and active. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Event Tickets Manager For Woocommerce
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in the Flintop "Free Gifts for WooCommerce" WordPress plugin (all versions through 13.1.0) lets an attacker inject persistent JavaScript that executes in the browser of anyone viewing the affected page. Reported by Patchstack and tracked as CWE-79, it carries a CVSS 7.1 score driven by a changed scope (S:C), and has no public exploit identified at time of analysis. No CISA KEV listing or POC has been reported, so this is a disclosed-but-not-yet-weaponized web plugin flaw.

XSS WordPress Free Gifts For Woocommerce
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive system information exposure in the WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) enables authenticated low-privilege users to retrieve embedded sensitive data via network requests. Classified under CWE-497, the flaw allows an attacker with minimal WordPress credentials - such as a customer or subscriber account - to access system-level or configuration data that should be restricted to administrative contexts. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the high confidentiality impact and low privilege requirement make it a meaningful risk for WooCommerce merchants running affected plugin versions.

Information Disclosure WordPress Woocommerce Pdf Invoice Builder
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization in the Extra Product Options Builder for WooCommerce plugin (versions through 1.2.167) permits remote unauthenticated attackers to perform restricted actions without valid credentials, impacting both data integrity and service availability on affected WordPress storefronts. The flaw stems from CWE-862 - the plugin exposes endpoints or AJAX actions that fail to verify whether the caller holds the necessary capability or role before executing sensitive operations. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA KEV catalog.

Authentication Bypass WordPress Extra Product Options Builder For Woocommerce
NVD
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

The Library Management System WordPress plugin before 3.5.8 does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data from the database, including user password hashes.

WordPress SQLi Library Management System
NVD WPScan VulDB
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email for a given job, allowing authenticated users with a subscriber-level (self-registerable) account to read other employers' private account email addresses by enumerating job identifiers.

WordPress Information Disclosure Wp Job Portal
NVD WPScan VulDB
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Missing authorization in WP Job Portal WordPress plugin before 2.5.5 allows any self-registered subscriber to approve, feature, or reject arbitrary job listings owned by other users, bypassing both capability and ownership checks entirely. The subscriber role is self-registerable on most WordPress sites, meaning an unauthenticated attacker can trivially obtain the access level needed to exploit this flaw with no admin interaction required. A publicly available proof-of-concept exists; no CISA KEV listing indicates confirmed mass exploitation at time of analysis.

Information Disclosure WordPress Wp Job Portal
NVD WPScan VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Broken authorization in the Tutor LMS WordPress plugin (before 3.9.13) lets authenticated subscriber-level users bypass paid/private-course access controls when the Droip or Kirki page-builder integration is active. Because these integration handlers omit the enrollment, purchase, and private-course capability checks enforced in the core course handler, low-privileged accounts can self-enroll in paid or private courses, read otherwise-restricted content, and mark arbitrary courses complete. Reported by WPScan with publicly available exploit detail and a vendor patch released; no active exploitation is currently listed in CISA KEV.

WordPress Information Disclosure Tutor Lms
NVD WPScan
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Broken object-level authorization in the Tutor LMS WordPress plugin before 3.9.13 allows any authenticated instructor-level user to overwrite and take over arbitrary posts or pages sitewide, including administrator-owned content. The content-builder save handler validates the request against an unrelated identifier rather than confirming the requesting user owns or is permitted to edit the target post, making the authorization check entirely ineffective. A publicly available proof-of-concept exploit exists; no active exploitation has been confirmed by CISA KEV at time of analysis, though the low barrier (instructor account only) and high integrity impact elevate real-world risk significantly.

Information Disclosure WordPress Tutor Lms
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Tutor LMS WordPress plugin (all versions before 3.9.13) allows authenticated users with subscriber-level access to post auto-approved comments containing arbitrary HTML and external links on any site content, bypassing the comment moderation queue entirely. The vulnerable comment handler performs no authorization check and no post-target validation before creating comments, making this exploitable by any registered user on sites with open registration - a common LMS deployment pattern. A publicly available POC from WPScan exists; no CISA KEV listing indicates confirmed mass exploitation, but the low privilege bar and POC availability make this a realistic content-integrity threat.

Authentication Bypass WordPress Tutor Lms
NVD WPScan
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Missing ownership verification in Tutor LMS WordPress plugin before 3.9.13 allows any authenticated subscriber-level user to overwrite other students' quiz attempt records, including their scores and pass/fail status. The flaw is an insecure direct object reference (IDOR) pattern: the plugin writes to quiz attempts without confirming the requesting user owns that attempt. A public exploit exists per WPScan, meaning the technique is documented and reproducible; however, this CVE is not listed in the CISA KEV catalog, indicating no confirmed mass exploitation at time of analysis.

Information Disclosure WordPress Tutor Lms
NVD WPScan
Page 1 of 193 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy