WordPress
Monthly
Stored Cross-Site Scripting in the Simple SEO Slideshow WordPress plugin (all versions through 1.2.8) allows authenticated attackers holding contributor-level roles to inject persistent JavaScript payloads via unsanitized shortcode attributes. Because WordPress KSES does not strip malicious values from shortcode attributes during post save, the payload survives sanitization and executes for every subsequent visitor - including administrators reviewing the post - making privilege escalation a realistic downstream impact. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the Wordfence intelligence platform has formally catalogued it.
Stored Cross-Site Scripting in the Express Payment For Stripe WordPress plugin (versions up to and including 1.28.0) allows authenticated contributors to permanently embed malicious JavaScript into site pages via the unsanitized 'type' attribute of the [stripe-express] shortcode. The root defect is in register_shortcode() within wp-stripe-shortcodes.php, where the attribute value is concatenated directly into an HTML attribute without passing through WordPress's esc_attr() or any equivalent escaping function. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV; however, the CVSS Changed Scope (S:C) signals that successful exploitation escapes the contributor's own security context and can compromise higher-privileged users such as administrators who visit the injected page.
Payment forgery in the Event Monster WordPress plugin (versions through 2.1.0) allows unauthenticated remote attackers to generate valid paid event tickets without completing any actual payment transaction. The AJAX handler wp_ajax_nopriv_em_capture_payment accepts client-supplied transaction ID, amount, and payment status values at face value, with no PayPal API verification, no nonce, and no capability check - meaning any HTTP client can POST fabricated payment confirmation data and receive a fully authenticated QR-coded ticket via email. No public exploit has been identified at time of analysis, but the attack requires no authentication and minimal technical skill, making it a meaningful financial fraud risk for any site using this plugin for paid events.
Cross-Site Request Forgery in the Frontend User Notes WordPress plugin (all versions through 2.1.1) allows unauthenticated remote attackers to trick an authenticated victim into overwriting their own note content. The funp_ajax_modify_notes function lacks proper nonce validation, enabling forged requests to invoke wp_update_post() on behalf of the logged-in victim. No public exploit has been identified at time of analysis, and the attack's impact is bounded by ownership enforcement: only the tricked victim's own notes can be altered, not those of arbitrary third-party users.
Time-based blind SQL injection in the Quiz and Survey Master (QSM) WordPress plugin versions through 11.1.2 allows authenticated administrators to extract sensitive database contents via the unsanitized 'order' parameter in the quiz API. The vulnerability resides in class-qsm-quiz-api.php at multiple query construction points (lines 126, 131, 164, 243, 374), where user-supplied sort order values are concatenated directly into SQL without prepared statements. Critically, if the plugin's secret key is exposed, this privilege barrier drops, enabling lower-privileged users to exploit the same injection path. No public exploit code or CISA KEV listing is identified at time of analysis.
Arbitrary Media Library attachment deletion in the Charitable donation plugin for WordPress (versions through 1.8.11.1) is achievable by any authenticated user with Subscriber-level access or above via a two-stage IDOR exploit chain in the profile avatar update flow. The attack chains two weak points: Charitable_Data_Processor::process_picture() returns a raw user-supplied attachment ID verbatim when no file is uploaded, allowing an attacker to poison their own avatar user meta with any arbitrary attachment ID, which save_avatar() then blindly passes to wp_delete_attachment() without verifying that the target attachment belongs to the requesting user. No public exploit has been identified at time of analysis, and exploitation is constrained to authenticated users on sites with active user registration.
Arbitrary directory deletion in the WPvivid Backup & Migration WordPress plugin (all versions through 0.9.128) allows authenticated administrators to remove arbitrary server-side folders by submitting a crafted path to the delete_cancel_staging_site() function. Impact is confined to integrity and availability - server files and directories can be irreversibly destroyed - with no confidentiality exposure. No public exploit identified at time of analysis, and exploitation requires high-privilege WordPress credentials, substantially limiting real-world risk.
Authorization bypass in the Alba Board WordPress plugin (all versions through 2.1.3) exposes private project card data to unauthorized access. Despite the CVSS vector assigning PR:L (low privileges required), the vulnerability description explicitly reveals a more severe exploitation path: the AJAX handler is registered under the wp_ajax_nopriv_ hook, and the required nonce is broadcast to all site visitors via wp_localize_script on any page rendering the [alba_board] shortcode - enabling fully unauthenticated access to private alba_card records including titles, descriptions, assignees, due dates, tags, and comments. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, though the vulnerable code path is publicly browsable in the WordPress plugin repository.
Authenticated remote code execution in the Admin Columns WordPress plugin (versions through 7.0.18) allows Contributor-level users to inject serialized PHP objects via post meta and trigger a bundled POP gadget chain through the Laravel SerializableClosure component. Reported by Wordfence with CVSS 8.8, no public exploit identified at time of analysis, though the low privilege barrier and bundled gadget chain make weaponization straightforward for any researcher with plugin access.
Remote code execution in WP Captcha PRO (premium version of the Advanced Google reCAPTCHA WordPress plugin) through version 5.38 allows authenticated Subscriber-level attackers to upload arbitrary files, including PHP webshells, by abusing the licensing module's save_ajax() capability check and the unrestricted archive extraction in sync_cloud_protection(). No public exploit identified at time of analysis, but the CVSS 8.8 rating and trivial Subscriber-level prerequisite - common on sites with open registration - make this a high-priority WordPress ecosystem flaw. Wordfence is the original reporter and primary intelligence source.
Authentication bypass in WP Captcha PRO (and the free Advanced Google reCAPTCHA plugin sharing the same slug) for WordPress versions through 5.38 allows authenticated Subscriber-level users to log in as any account, including Administrator. The flaw chains a missing capability check in the ajax_run_tool() AJAX handler with the create_temporary_link tool that issues passwordless login links for arbitrary users, enabling full account takeover. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Unauthenticated administrator account takeover in the Hippoo Mobile App for WooCommerce WordPress plugin (versions ≤ 1.9.4) allows remote attackers to reset any user's password - including the site administrator's - by sending a single crafted POST request to a cloned REST route. The root cause is a logic conflation in HippooPermissions::get_user_permissions() that returns the same null sentinel for both administrators and anonymous visitors, which is then interpreted as full admin access. No public exploit identified at time of analysis, but the trivial exploitation path and 9.8 CVSS score make this an urgent patch priority for any WordPress site running the plugin.
Backdoor/malicious code implant in the ShapedPlugin Product Slider Pro for WooCommerce WordPress plugin (versions before 3.5.3) allows remote unauthenticated attackers full compromise of the hosting site with CVSS 10.0 and a scope-changing vector. The Patchstack reference characterizes this as a backdoor vulnerability, and no public exploit has been identified at the time of analysis, though the trivial nature of supply-chain implants means abuse is plausible. Notably, the vendor patched the existing release without bumping the version number, so administrators cannot reliably tell whether their installation is fixed.
Server-Side Request Forgery in the Essential Blocks WordPress plugin (versions through 6.1.3) allows authenticated users with Author-level access or higher to coerce the WordPress server into making arbitrary outbound HTTP requests via the save_ai_generated_image() function. The flaw enables attackers to probe internal network services, read responses from internal endpoints, and potentially modify state on services that trust requests from the WordPress host. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stored cross-site scripting in Shopware's media manager allows any authenticated admin to upload an unsanitized SVG file containing arbitrary JavaScript that executes in the Shopware domain context when the file is accessed by any user. The upload pipeline - spanning MediaUploadController, FileSaver, and TypeDetector - classifies SVG as a valid ImageType with VECTOR_GRAPHIC flag but performs zero content sanitization: no DOMPurify, no enshrined/svg-sanitize, no strip_tags on SVG XML content. In an e-commerce context this enables admin account takeover, customer data exfiltration, and malicious plugin installation. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV.
WordPress Plugin Google Review Slider 6.1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post_title. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Soliloquy Lite 2.5.6 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by inserting script tags in the post title. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Theme Zoner Real Estate 4.1.1 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through the Address input field when. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hc_ajax_save_option. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin ad manager wd 1.0.11 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the path parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in MasterStudy LMS Pro Plus for WordPress exposes database contents to authenticated instructors through the unsanitized 'columns' parameter, affecting all versions up to and including 4.8.20. The vulnerability stems from insufficient input escaping and absent parameterized query preparation, enabling authenticated attackers with at minimum instructor-level access to append arbitrary SQL to existing queries and extract sensitive data. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and high confidentiality impact make this a meaningful risk for multi-tenant LMS deployments where instructors are semi-trusted external parties.
Unauthenticated information disclosure in the SP Project & Document Manager WordPress plugin (versions up to and including 4.71) allows remote attackers to enumerate file metadata and obtain download links for arbitrary files stored within project folders. The flaw stems from a broken authorization gate in the view_file AJAX handler where a negated nonce check is OR-chained with permission checks, causing the entire condition to evaluate true when no valid nonce is supplied. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects confidentiality-only impact with no integrity or availability consequences.
Cross-Site Request Forgery in the EmergencyWP WordPress plugin (all versions ≤1.4.2) permits unauthenticated attackers to overwrite critical plugin settings by tricking an authenticated site administrator into triggering a forged request. The missing nonce validation in the form_settings_ui settings save handler exposes controls that include WordPress role capability manipulation (add_cap/remove_cap), a data-erasure-on-uninstall flag, life-check timing, and the mandator notification email - settings whose combined impact exceeds the CVSS 4.3 baseline. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the role-capability attack surface warrants prioritized patching for sites relying on this plugin.
Stored Cross-Site Scripting in the Passeum Ticketing WordPress plugin (all versions ≤ 1.0) allows authenticated administrators on multisite installations to load attacker-controlled JavaScript and CSS on every frontend page that renders a plugin shortcode. The attack path runs through the plugin's `shop_name` setting: the `validate_shop_name()` function accepts any non-empty string, and `get_shop_url()` passes URLs beginning with 'http' directly to `wp_register_script()` and `wp_register_style()` without sanitization, causing the site to enqueue external resources from an attacker-controlled domain for all site visitors. No public exploit identified at time of analysis, and the vulnerability is explicitly scoped to WordPress multisite environments - single-site administrators are unaffected because they already hold the `unfiltered_html` capability.
Unauthenticated SQL injection in the ARMember Premium WordPress plugin (versions up to and including 7.3.1) allows remote attackers to extract sensitive database contents by injecting crafted values into the 'order' and 'orderby' parameters of the arm_directory_paging_action AJAX endpoint. With CVSS 7.5 reflecting confidentiality-only impact and no public exploit identified at time of analysis, the bug is reachable without credentials but EPSS data was not provided to estimate exploitation likelihood.
SQL Injection in ARMember Premium WordPress membership plugin (versions up to and including 7.3.1) enables authenticated attackers with Subscriber-level access to extract sensitive database contents via the `get_private_content_data` AJAX action. The flaw resides in the `sSortDir_0` parameter, which is concatenated unsanitized into an ORDER BY clause - a notoriously difficult injection point to parameterize, requiring explicit allowlist validation that is absent here. No public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; however, the low authentication bar (subscriber accounts) and network-accessible attack vector make it a meaningful risk where the addon is active.
Account takeover in the ARMember Premium WordPress plugin through version 7.3.1 stems from the plugin storing a plaintext password reset key in the `arm_reset_password_key` user meta field alongside WordPress core's properly hashed token. When chained with the companion SQL injection issues CVE-2026-5073/5074, an unauthenticated attacker can extract the plaintext key and invoke the plugin's `armrp` reset action to set a new password for any user, including administrators. No public exploit identified at time of analysis, though the chain is described in detail by Wordfence and the CVSS 9.8 rating reflects unauthenticated remote compromise.
Remote code execution in the Content Visibility for Divi Builder WordPress plugin (versions ≤ 4.02) allows authenticated attackers with Contributor-level access or higher to execute arbitrary PHP on the server by abusing the 'cvdb_content_visibility_check' parameter of the 'et_pb_text' shortcode. The flaw is a CWE-94 code injection issue disclosed by Wordfence and carries a CVSS 3.1 score of 8.8. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Authentication bypass in the WP Swings Wallet System for WooCommerce plugin (versions up to and including 2.7.5) allows an authenticated low-privileged attacker to abuse the password recovery flow as an alternate channel to take over other accounts. Successful exploitation yields high impact to integrity (account/wallet compromise) with limited confidentiality exposure, and no public exploit has been identified at time of analysis.
Stored cross-site scripting in the Tiled Gallery Carousel Without JetPack WordPress plugin (versions up to and including 3.1) allows authenticated attackers with contributor-level access to inject persistent malicious JavaScript via the 'data-image-title' parameter. The injected script executes in victims' browsers each time an affected gallery page is visited, enabling session theft, credential harvesting, or malicious redirects against site visitors and administrators. No public exploit or CISA KEV listing has been identified at time of analysis, though the low privilege barrier (contributor access) broadens the potential attacker pool on sites with open registration.
Cross-Site Request Forgery in the Laiser Tag WordPress plugin (versions up to and including 1.2.5) allows unauthenticated remote attackers to overwrite critical plugin settings - including API keys, tag blacklists, relevance thresholds, batch sizes, and tagging toggles - by tricking a logged-in site administrator into clicking a crafted link. The root cause is missing or incorrect nonce validation on the addOptionsPageFields function, as identified by Wordfence and corroborated by source references pointing to Tagging.php and adminOptionPage.php in the plugin's trunk. No public exploit code or CISA KEV listing has been identified at time of analysis, keeping real-world exploitation opportunity relatively constrained by the required administrator interaction.
Cross-Site Request Forgery in the Remove Meta Boxes Per User Role WordPress plugin (all versions ≤1.01) enables unauthenticated remote attackers to modify or reset per-role admin dashboard meta box visibility settings by tricking an authenticated site administrator into clicking a crafted link. The vulnerability stems from absent or incorrect nonce validation on the plugin's settings page, which is the standard WordPress anti-CSRF mechanism. No public exploit has been identified and the issue is not listed in CISA KEV; real-world impact is limited to low-integrity administrative configuration tampering.
Reflected Cross-Site Scripting in the rognone plugin for WordPress (versions up to and including 0.6.2) allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted link containing a malicious 'a' parameter. The vulnerability originates in header.php at line 74, where user-supplied input is reflected into page output without sanitization or escaping. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not provided in source intelligence.
Cross-Site Request Forgery in the Remove NoFollow Commenter URL WordPress plugin (all versions ≤ 1.0) allows unauthenticated remote attackers to modify the plugin's comment-display settings by tricking a logged-in site administrator into clicking a crafted link. The vulnerability stems from absent or incorrect nonce validation in the `gmz_comment_settings_save` function, meaning the plugin accepts state-changing POST requests without verifying they originated from a legitimate admin session. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS score of 4.3 (Medium) reflects the required user interaction as a meaningful limiting factor.
Stored Cross-Site Scripting in the Word Replacer WordPress plugin (versions up to and including 0.4) allows authenticated attackers with Administrator-level access to persist arbitrary JavaScript payloads via the 'replacement' parameter, which subsequently execute in the browsers of any user visiting an affected page. Reported by Wordfence, the root cause is insufficient input sanitization and output escaping in word-replacer.php at multiple code locations (lines 191, 230, 339, 343). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in the Tectite Forms WordPress plugin (all versions through 1.3) allows unauthenticated remote attackers to modify plugin settings by inducing an authenticated administrator to click a crafted link. The vulnerable surface is the admin_init function, which lacks proper nonce validation (CWE-352), permitting forged requests to alter options such as tectite_forms_button. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in the DeMomentSomTres Shortcodes WordPress plugin (all versions through 1.1.1) allows authenticated attackers with contributor-level access to persistently inject arbitrary JavaScript into page content via the 'callout' shortcode's 'width' and 'align' attributes. The injected payload executes in the browsers of any subsequent visitor to the affected page, enabling session hijacking, credential theft, or malicious redirects scoped to the WordPress front-end. No public exploit has been identified at time of analysis, and the CVSS Scope:Changed rating reflects that the impact extends beyond the attacker's own session to affect other users.
Stored Cross-Site Scripting in the Easy Cart WordPress plugin (all versions up to and including 1.8) permits authenticated Contributor-level users to inject persistent JavaScript payloads via the 'add_to_cart' shortcode. The vulnerability originates in the ectp_add_to_cart() function at plugin.php lines 280-287, where shortcode attributes such as 'product_name', 'product_desc', 'itemid', 'product_qty', and 'price' are processed with sanitize_text_field()-a function that strips HTML tags but does not escape double-quote characters-before being embedded in double-quoted HTML attributes. This allows attribute context breakout and arbitrary event handler injection that executes against any visitor loading the affected page. No public exploit code or CISA KEV listing has been identified at time of analysis.
Reflected Cross-Site Scripting in the hiWeb Migration Simple WordPress plugin (all versions up to and including 2.0.0.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'new_domain' parameter rendered in template/force-re-migrate-confirm.php. Exploitation requires tricking a logged-in WordPress administrator into clicking a crafted URL, at which point the injected script executes in the administrator's browser session under the site's origin - a Changed scope per CVSS - enabling potential account takeover or unauthorized admin-level actions. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS data was not provided in source intelligence.
Cross-site request forgery in the Google Plus One Bottom WordPress plugin (all versions ≤ 0.0.2) enables unauthenticated remote attackers to overwrite plugin settings stored in the WordPress database by tricking an authenticated administrator into clicking a crafted link. The root cause is missing nonce validation in the googlePlusOneAdmin function, exposing the plusone-lang, plusone-callback, and plusone-url options to unauthorized modification. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the social-engineering dependency is the primary limiting factor rather than any technical barrier.
Stored Cross-Site Scripting in the WP Nano AD WordPress plugin (all versions through 1.31) allows authenticated administrators to inject persistent malicious scripts via the 'blogrole_link' parameter in add_links.php, with execution occurring in any victim's browser upon visiting the compromised page. Exploitation is restricted to WordPress multi-site networks or single-site installations where the unfiltered_html capability has been explicitly disabled - notably a configuration common in security-hardened deployments. No public exploit identified at time of analysis, though a public security writeup by BFS-Lab has been published on GitHub, increasing the likelihood of weaponized attempts against qualifying environments.
Reflected Cross-Site Scripting in the rognone WordPress plugin (versions ≤ 0.6.2) exposes visitors of affected sites to arbitrary JavaScript injection via the unsanitized 'mode' URL parameter in header.php. Unauthenticated remote attackers (PR:N per CVSS) can deliver a malicious link that, when clicked by a victim, executes attacker-controlled scripts in the victim's browser within the changed scope (S:C) of the WordPress application context. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis, though the trivial attack complexity (AC:L) and zero authentication requirement lower the bar for opportunistic abuse.
Cross-Site Request Forgery in the BirdSeed WordPress plugin (all versions up to and including 2.2.0) enables unauthenticated remote attackers to overwrite the plugin's API token by tricking an authenticated site administrator into clicking a crafted link. The vulnerability stems from birdseed_plugin_settings_page() accepting the birdseed_token GET parameter and persisting it via update_option() with no nonce verification, bypassing WordPress's standard CSRF protection entirely. No public exploit has been identified at time of analysis; CVSS rates this Medium (4.3) reflecting narrow integrity impact limited to token replacement.
Stored Cross-Site Scripting in the FPW Category Thumbnails WordPress plugin (all versions ≤1.9.5) allows authenticated attackers with Subscriber-level access to plant persistent JavaScript payloads via the unsanitized 'id' parameter of the 'fpw_fs_get_file' AJAX action. The injected script executes in an administrator's browser upon visiting the plugin's settings page, creating a privilege-escalation pathway from low-privileged subscriber to effective site administrator. No public exploit has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the low attack complexity and Changed Scope signal meaningful risk in open-registration WordPress environments.
Missing authorization controls in the JTL-Connector for WooCommerce WordPress plugin (all versions through 2.4.1) allow authenticated attackers holding only Subscriber-level access to invoke three unprotected server-side actions: modifying arbitrary plugin settings, downloading a ZIP archive of developer log files, and deleting those logs. The root cause is the complete absence of WordPress capability checks and nonce verification on the admin_post_settings_save_woo-jtl-connector handler and the wp_ajax_downloadJTLLogs and wp_ajax_clearJTLLogs AJAX handlers. No public exploit has been identified at time of analysis, and no patched version is confirmed in the available data.
Stored Cross-Site Scripting in the ZeM STL WordPress plugin (all versions through 1.0) allows authenticated contributors to plant persistent malicious scripts in page content via unsanitized [zemstl] shortcode attributes. Wordfence confirmed that the 'url', 'color', and 'bgcolor' shortcode parameters are directly interpolated into HTML attribute context within zemstl.php without passing through WordPress's esc_attr() or any equivalent escaping function, as evidenced by references to the vulnerable source lines (L74, L103, L104, L107). Any site visitor who loads a page containing the injected shortcode will silently execute the attacker's script, enabling session hijacking, credential theft, or privilege escalation against higher-privileged users including administrators. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis.
Two-factor authentication bypass in the Really Simple Security WordPress plugin before 9.5.10.1 allows attackers who already possess a valid username and password to hijack a fully authenticated WordPress session without completing the email OTP challenge. Two REST endpoints in the plugin's 2FA flow fail to enforce the second-factor challenge, effectively neutralizing the MFA protection the plugin is marketed to provide. Publicly available exploit code exists (WPScan), and a vendor patch has been released.
Account takeover in the Kirki Freeform Page Builder WordPress plugin (versions 6.0.0 through 6.0.6) allows unauthenticated remote attackers to hijack any registered account, including administrators, by redirecting password reset links to attacker-controlled email addresses. The flaw stems from the plugin honoring an arbitrary email value supplied alongside a valid username in password reset requests, breaking the trust binding between account and recovery destination. No public exploit identified at time of analysis, but the trivial nature of the bug and Wordfence's published advisory make weaponization straightforward.
Stored Cross-Site Scripting in the Simple Custom Login Page WordPress plugin (versions ≤ 1.0.3) allows authenticated administrators to inject arbitrary CSS rules into wp-login.php, which is then rendered for every unauthenticated visitor to the login page. The changed scope (S:C in CVSS) is the critical risk amplifier: a single administrator-level compromise or malicious admin can silently overlay phishing UI elements on the WordPress login page, harvesting credentials from any user who subsequently visits. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in the Auto Image Attributes From Filename With Bulk Updater WordPress plugin (all versions through 4.9) allows authenticated attackers holding Author-level access or higher to persist arbitrary JavaScript payloads via unsanitized attachment metadata fields. The injected scripts execute in the browser of any user who subsequently accesses the affected page, with Changed scope (S:C) indicating the payload crosses the plugin's trust boundary into the broader WordPress session context. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Slider Revolution, a widely deployed WordPress visual slider plugin, exposes an unauthorized plugin-deactivation capability to any authenticated user holding a Contributor-level role or above, across two major release branches. The root cause is a missing authorization check (CWE-862) that fails to verify whether the requesting user holds the WordPress capability required to manage installed plugins. Although the CVSS score of 4.3 reflects the authentication prerequisite, real-world impact in multi-user or open-registration WordPress environments can significantly exceed the score: a malicious contributor could selectively deactivate security plugins - firewalls, login hardeners, or audit loggers - clearing the path for follow-on attacks. No active exploitation has been confirmed (no CISA KEV listing) and no public POC has been identified at time of analysis.
Slider Revolution WordPress plugin versions 7.0.0 through 7.0.14 exposes raw social media API credentials - including Instagram OAuth tokens, Flickr API keys, YouTube Data API keys, and Facebook App IDs - to any authenticated user holding Contributor-level access or higher. The flaw stems from insufficient authorization controls on the 'slider.get.full' AJAX action, which returns full slider configuration data without verifying whether the requesting user should have access to sensitive credential fields. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, but the real-world impact of credential theft for active social media integrations exceeds what the medium CVSS score alone suggests.
WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authorization bypass in Advanced Custom Fields (ACF®) plugin for WordPress versions up to and including 6.8.1 allows unauthenticated remote attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance. The attack requires no credentials, no user interaction, and low complexity - exploitable by anyone who can reach a page rendering a public-facing ACF front-end form. This vulnerability is not listed in the CISA KEV catalog and no public exploit code has been identified at time of analysis, but the zero-barrier attack path makes content integrity on exposed WordPress sites a real concern.
Authenticated privilege escalation to administrator in the Simple History WordPress plugin (versions through 5.26.0) allows a Subscriber-level user to read password-reset email contents logged by SimpleUserLogger and hijack admin accounts. The react/unreact event endpoints reuse a permission callback that only checks for a logged-in user, exposing full event context including reset URLs and keys. No public exploit identified at time of analysis, and exploitation requires that an administrator previously enabled the non-default experimental features option.
Remote code execution in the Spectra Gutenberg Blocks WordPress plugin (versions up to and including 2.19.25) allows authenticated users with Contributor-level access or higher to execute arbitrary PHP on the server by abusing the plugin's block rendering logic. The flaw stems from the plugin trusting attacker-controlled block attributes to register a fake uagb/-prefixed block type with an arbitrary render_callback, which is then invoked via call_user_func() when a second block of the same type is rendered in the same request. No public exploit identified at time of analysis, but the low privilege bar (Contributor is commonly granted to untrusted guest authors) makes this a high-priority issue for sites with open registration.
SQL injection in the GEO my WP WordPress plugin (versions ≤4.5.5) allows unauthenticated remote attackers to append arbitrary SQL via the 'swlatlng' and 'nelatlng' query-string parameters, enabling extraction of sensitive database contents. The flaw stems from reading parameters directly from $_SERVER['QUERY_STRING'] with parse_str(), bypassing WordPress's wp_magic_quotes sanitization. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV, but exploitation requires only a public page hosting the Posts Locator results shortcode.
Unauthenticated arbitrary user deletion in the WP Travel Pro WordPress plugin (versions through 10.6.0) allows remote attackers to delete any WordPress account, including administrators, via an exposed REST API endpoint. The flaw stems from a broken permission callback combined with missing role validation, producing a CVSS 9.1 integrity/availability impact. No public exploit identified at time of analysis, but the trivial nature of the bug and Wordfence's disclosure make weaponization straightforward for any actor reading the advisory.
Unauthenticated modification of SEO metadata settings is possible in the Rank Math SEO WordPress plugin through version 1.0.271, stemming from a missing authorization check on the REST API function `update_site_editor_homepage`. Remote, unauthenticated attackers can overwrite homepage title, meta descriptions, breadcrumb labels, and social media metadata, enabling SEO poisoning campaigns and injection of malicious content into breadcrumb components rendered sitewide. No public exploit code or CISA KEV listing has been identified at time of analysis, though the attack is low-complexity and requires no authentication.
Payment bypass in the Contact Form 7 - PayPal & Stripe Add-on for WordPress (all versions up to and including 2.4.9) permits unauthenticated attackers to complete arbitrary pending orders without tendering the required payment amount. The IPN handler correctly authenticates PayPal callbacks via the `cmd=_notify-validate` round-trip, but then blindly trusts the attacker-controlled `invoice` field and passes it to `cf7pp_complete_payment()` without verifying that `mc_gross`, `mc_currency`, or `receiver_email` in the IPN match the stored order values - resulting in full order completion triggered by a minimal real payment. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, but the direct financial incentive and low attack complexity elevate real-world priority beyond what the medium CVSS score alone implies.
SQL Injection in the Frontend Admin by DynamiApps WordPress plugin (all versions through 3.28.28) allows authenticated administrators to extract arbitrary data from the WordPress database via the 'order' parameter in the payments list view. The vulnerability stems from unsanitized concatenation of user-supplied input into a raw SQL query, reachable only when a valid 'orderby' parameter is also present in the same request. No public exploit has been identified at time of analysis, and the high privilege requirement (administrator-level) substantially limits the realistic attacker pool, keeping this a medium-severity, low-urgency finding despite the AV:N classification.
Cross-Site Request Forgery in the Media Library Assistant WordPress plugin versions 3.35 and earlier allows remote attackers to coerce authenticated administrators into executing bulk delete, edit, or purge actions against plugin settings and attachment metadata. The flaw stems from missing nonce checks on bulk action handlers across multiple settings tabs and was reported by Wordfence. There is no public exploit identified at time of analysis and no CISA KEV listing, but the high CVSS of 8.1 reflects significant integrity and availability impact if a logged-in admin is lured to a malicious page.
Stored cross-site scripting in the Link Whisper Free WordPress plugin (versions through 0.9.0) allows unauthenticated remote attackers to inject persistent JavaScript via the user_id parameter, which executes in the browser of any user who visits an affected page. The flaw stems from insufficient input sanitization and output escaping in the plugin's settings handler, and no public exploit identified at time of analysis. With a CVSS 7.2 score reflecting Scope:Changed impact, the bug is notable because exploitation requires no authentication despite affecting an administrative-adjacent plugin component.
Authentication bypass in the OTP Login With Phone Number, OTP Verification WordPress plugin versions 1.8.50 through 1.8.60 allows unauthenticated remote attackers to log in as any user - including administrators - whose phone number is stored in user meta. The flaw stems from the Firebase OTP verification flow failing to bind the verified Firebase session to the phone number supplied in the request, so attackers can verify their own phone via Firebase and then submit a victim's number to be authenticated as that victim. No public exploit identified at time of analysis, but the trivial logic flaw and CVSS 9.8 score make this a critical priority.
Stored Cross-Site Scripting in The Plus Addons for Elementor WordPress plugin (versions up to and including 6.4.15) allows authenticated contributor-level attackers to persistently inject malicious scripts via the carousel_direction parameter of the Carousel Anything widget. The root cause is an unquoted HTML attribute context in the render() function where esc_attr() is applied but insufficient - attribute injection is still possible by appending space-separated event handlers to the bare dir= attribute. Injected payloads persist in the database and execute in any visiting user's browser, including administrators, enabling session hijacking or privilege escalation; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in the Simple Divi Shortcode WordPress plugin (versions up to and including 1.2) allows authenticated attackers with contributor-level access to permanently embed arbitrary JavaScript into WordPress pages via the unsanitized 'id' parameter of the [showmodule] shortcode. The injected payload executes in the browser of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or malicious redirects within the victim's authenticated session context. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in the Automotive Car Dealership Business WordPress Theme (all versions through 13.4.1) enables authenticated contributors to permanently embed arbitrary JavaScript via the 'project_details' custom field in Portfolio Items. Because the CVSS scope is Changed (S:C), injected scripts execute in the victim's browser context - not just the WordPress admin panel - enabling session hijacking, credential harvesting, or drive-by malware delivery against site visitors. No public exploit code has been identified at time of analysis, though contributor-level access is routinely available in multi-author dealership or agency WordPress deployments, making the authentication barrier practically low.
Authenticated PHP Object Injection in the WooCommerce Infinite Scroll and Ajax Pagination WordPress plugin (versions up to and including 1.8) allows Subscriber-level users to deserialize attacker-controlled data via the 'settings' parameter of the import_settings function. While the plugin itself contains no usable POP chain, the presence of any vulnerable gadget in another installed plugin or theme can escalate this into arbitrary file deletion, sensitive data disclosure, or remote code execution. There is no public exploit identified at time of analysis, but the low privilege barrier and ubiquity of WordPress gadget chains make this a meaningful risk for multi-plugin sites.
Remote unauthenticated privilege escalation in the WP Maps Pro WordPress plugin (all versions through 6.1.0) allows attackers to create a new administrator account and authenticate as that user, resulting in complete site takeover. The flaw stems from an AJAX handler exposed to unauthenticated users and protected only by a publicly-embedded nonce, making the access check ineffective. No public exploit identified at time of analysis, but the trivial nature of the bug (default-enabled handler, no authentication, magic login URL returned to the caller) makes weaponization straightforward once details circulate.
Stored cross-site scripting in the StatCounter - Free Real Time Visitor Stats WordPress plugin (versions up to and including 2.1.1) allows authenticated users with Author-level access or higher to inject arbitrary JavaScript into post pages by setting a crafted WordPress profile nickname. The unescaped nickname is embedded directly into a JavaScript string context within a <script> block rendered on every post page via the wp_head hook, causing the payload to execute in the browser of any visitor - including unauthenticated users - who loads a post authored by the attacker. No public exploit has been identified at time of analysis, but the low attack complexity (AC:L) and broad exposure surface (every post page on affected sites) make this a practical risk wherever sites permit untrusted Author-level accounts.
Unauthenticated information disclosure in the Cloudways Breeze Cache plugin for WordPress (all versions ≤ 2.5.2) allows remote attackers to retrieve administrator-cached page content by supplying a forged session cookie. When the non-default 'Cache Logged-in Users' feature is active, the plugin resolves cached page files by parsing the username directly from the cookie value without verifying the WordPress HMAC signature, enabling any unauthenticated actor who knows or guesses a valid username to obtain that user's cached HTML output. Exposed data includes full content of private posts, Admin Bar markup, WordPress nonces, and other privileged interface elements. No public exploit has been identified and the vulnerability is not listed in CISA KEV; version 2.5.3 contains the fix.
Poll Maker WordPress plugin (versions ≤6.3.7) leaks the complete WP_User object - including bcrypt password hashes, email addresses, login names, registration dates, roles, and capabilities - through an AJAX endpoint that performs no nonce verification or capability check beyond confirming the requestor is logged in. Any subscriber-level authenticated user on an affected site can call the `ays_poll_get_user_information` action and retrieve user data that WordPress deliberately withholds from all of its standard interfaces, including the REST API. No public exploit has been identified at time of analysis, but the attack requires only a valid subscriber session and a single POST request, and the recovered bcrypt hash enables offline password-cracking attacks.
Stored Cross-Site Scripting in the Post Snippets WordPress plugin (≤4.0.19) allows authenticated administrators on multisite installations to inject persistent JavaScript into the post editor via a crafted import file, exploiting a commented-out quote-escaping routine in WPEditor.php. The injected payload executes silently in the browser of any administrator who subsequently opens any post editor page, enabling session hijacking or further lateral movement within the multisite network. No public exploit identified at time of analysis; real-world impact is bounded by the Administrator-level access prerequisite and the explicit exclusion of single-site WordPress installations.
Unauthenticated privilege escalation in the Advanced Custom Fields: Extended (ACFE) WordPress plugin through version 0.9.2.5 allows remote attackers to create new administrator-level accounts on vulnerable sites. The flaw stems from the after_validate_save_post() function trusting an attacker-controlled POST parameter to bypass role allow-list and capability validation when a public ACFE frontend form with a Create User action is exposed. With a CVSS 9.8 and no public exploit identified at time of analysis, the vulnerability presents a direct site-takeover path on affected configurations.
Stored Cross-Site Scripting in the Shariff Wrapper WordPress plugin (all versions ≤ 4.6.20) allows authenticated Contributors to inject persistent JavaScript payloads via the 'headline' parameter of the [shariff] shortcode, which then execute in any visitor's browser upon page load. The Changed scope (S:C in CVSS) means the injected payload escapes the plugin's context and runs inside victim browsers across the full WordPress front-end, enabling session theft, credential harvesting, or drive-by redirection. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the low attack complexity and persistent nature of stored XSS make it a meaningful risk on multi-author or open-registration WordPress installations.
Unauthenticated privilege escalation in the Frontend Admin by DynamiApps WordPress plugin (versions up to and including 3.29.2) allows remote attackers to create administrator accounts by submitting a crafted form payload. The flaw stems from the plugin trusting an attacker-supplied form definition passed via $_POST['_acf_form'] as an array, which bypasses the legitimate server-side form lookup and allows the role field's allowed values to be spoofed. No public exploit identified at time of analysis, but the vulnerability is reported by Wordfence and is straightforwardly weaponizable given the documented logic flaw.
Missing authorization on the bulk appointments REST API endpoint in Simply Schedule Appointments WordPress plugin (all versions up to and including 1.6.11.8) permits unauthenticated mass modification and disclosure of customer appointment data. The flaw is compounded by a static, user-independent nonce embedded in the HTML source of any page rendering the [ssa_booking] shortcode, meaning a single anonymous page visit yields a credential sufficient to target every appointment in the system. An attacker can overwrite customer PII, alter payment status, and hijack meeting URLs across all bookings, or enumerate full customer records via the bulk endpoint response - no account or session required. No public exploit code and no CISA KEV listing are identified at time of analysis.
Missing authorization on three AJAX handlers in the Visualizer: Tables and Charts Manager plugin for WordPress (by Themeisle) allows authenticated attackers with Subscriber-level access to create arbitrary chart posts and read or overwrite chart data owned by any site user, including administrators. The wp_ajax_visualizer-create-chart, wp_ajax_visualizer-edit-chart, and wp_ajax_visualizer-upload-data actions invoke renderChartPages() and uploadData() without any current_user_can() capability check; the nonce validation in uploadData() is further trivialized by the absence of an action argument, making it bypassable with any valid WordPress nonce. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 4.0.1.
Authorization bypass in the Equalize Digital Accessibility Checker WordPress plugin (all versions through 1.42.0) allows low-privileged authenticated users to corrupt accessibility audit integrity site-wide. Authenticated attackers holding subscriber-level accounts or higher can invoke AJAX endpoints in class-ajax.php to modify the ignore state, ignore reason, and ignore comment of any accessibility issue across the entire site, effectively hiding or dismissing audit findings they are not authorized to manage. The vulnerability is amplified by a mass-modification code path triggered when the largeBatch=true parameter is supplied, enabling bulk suppression of all findings sharing a common object identifier in a single request. No public exploit code or CISA KEV listing has been identified at time of analysis.
Time-based blind SQL injection in the Photo Gallery by 10Web WordPress plugin (all versions through 1.8.40) allows authenticated attackers holding contributor-level access or above to exfiltrate sensitive database contents by embedding a crafted shortcode in a post or draft. The `order_by` parameter is passed unsanitized into existing SQL queries, and the injected payload executes when the shortcode is rendered - targeting WordPress databases containing credentials, user PII, and site configuration. No public exploit code or CISA KEV listing has been identified at time of analysis, though the high confidentiality impact and low attack complexity make this a meaningful risk on any site with non-administrative contributors.
Sensitive information exposure in the PDF Embedder WordPress plugin (all versions through 4.9.3) allows authenticated attackers with contributor-level access or higher to extract configuration data via the enqueue_block_assets hook. The severity of impact is installation-dependent: on sites running the premium add-on with a saved license key, attackers can exfiltrate that license key; on Lite-only installations, exposed data is limited to non-sensitive viewer settings such as dimensions, toolbar preferences, and usage tracking. No public exploit identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Stored cross-site scripting in the HT Contact Form - Drag & Drop Form Builder for WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote attackers to inject persistent JavaScript via the 'file_upload' parameter, which gets rendered via dangerouslySetInnerHTML in the admin entry viewer. The injected payload executes in the browser context of any administrator who opens the affected submission, enabling session theft, privilege abuse, or arbitrary admin actions. No public exploit identified at time of analysis, and the issue requires the plugin's 'Store Submissions' setting to be enabled for the unsanitized values to persist.
Time-based blind SQL injection in the Simply Schedule Appointments WordPress plugin (versions up to and including 1.6.11.8) allows unauthenticated remote attackers to extract sensitive database contents through the 'append_where_sql' parameter on the /appointments/bulk REST endpoint. The endpoint's permission check accepts a public nonce embedded in the booking widget's frontend JavaScript, and a PUT request with a urlencoded body bypasses the plugin's blocklist by preventing PHP from populating the relevant superglobals. No public exploit identified at time of analysis, though Wordfence has documented the technique in detail.
Authorization bypass in the WordPress '3D Viewer - 3D Model Viewer - Augmented Reality - Virtual Try On' plugin (all versions through 2.0.1) permits any subscriber-level authenticated user to overwrite the plugin's entire settings store via an exposed REST API endpoint with no privilege validation. The flaw stems from CWE-862 (Missing Authorization) in the REST route handler at /wp-json/ar_try_on/v1/settings, allowing arbitrary data to be written directly to the ar_try_on_settings database option. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV, but the low authentication bar (subscriber account) makes it accessible to a broad attacker pool on sites with open user registration.
Reflected Cross-Site Scripting in the Easy Updates Manager WordPress plugin (versions ≤ 9.0.20) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'paged' parameter in the pagination() function of MPSUM_List_Table.php. Successful exploitation requires social engineering a logged-in WordPress administrator into clicking a crafted URL, after which the injected script executes in the admin's browser under the site's origin - enabling session hijacking, unauthorized admin actions, or credential theft. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Arbitrary file deletion in the WP Contact Form 7 DB Handler WordPress plugin (versions up to and including 3.0) can be achieved by chaining CSRF, UNION-based SQL injection, and PHP object deserialization. A remote unauthenticated attacker who lures a logged-in administrator to a malicious page can delete arbitrary server files, including wp-config.php, which typically forces the site into a re-installation state and enables full site takeover. No public exploit identified at time of analysis, though Wordfence's detailed write-up effectively documents the exploit chain.
Unauthorized access in the SMTP2GO for WordPress plugin (all versions through 1.16.0) allows authenticated attackers holding only subscriber-level accounts to either wipe all SMTP delivery log records from the WordPress database or export a full CSV of those logs - exposing recipient addresses, sender addresses, message subjects, and API response data. The flaw stems from missing authorization checks on administrative actions within the plugin's WordPress admin class (WordpressPluginAdmin.php), meaning low-privileged users can invoke privileged log-management operations without restriction. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the low privilege bar makes this accessible to any registered WordPress user.
Authorization bypass in the Geo Mashup WordPress plugin (all versions ≤ 1.13.19) exposes sensitive plugin configuration data to unauthenticated remote attackers, including Google Maps API keys and GeoNames service credentials. The flaw (CWE-862 Missing Authorization) exists at specific request-handling code paths in geo-mashup.php (lines 515, 528, and 1525), where the plugin returns configuration data without verifying requester authorization. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is trivially exploitable with no authentication, no complexity, and no user interaction required against any affected installation.
Stored cross-site scripting in the a3 Lazy Load WordPress plugin (all versions through 2.7.6) allows authenticated Contributor-level users to inject persistent JavaScript into posts via a deliberately crafted <video> tag. Two compounding flaws drive the vulnerability: a regex bug in the _filter_videos() method that mishandles HTML attribute quoting, and unescaped output in the admin/views/form-data.php template. When any user - including a site administrator - views an affected post, the injected event-handler attributes (autofocus, onfocus) execute in the viewer's browser, enabling session hijacking or unauthorized privileged actions. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in the Simple SEO Slideshow WordPress plugin (all versions through 1.2.8) allows authenticated attackers holding contributor-level roles to inject persistent JavaScript payloads via unsanitized shortcode attributes. Because WordPress KSES does not strip malicious values from shortcode attributes during post save, the payload survives sanitization and executes for every subsequent visitor - including administrators reviewing the post - making privilege escalation a realistic downstream impact. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the Wordfence intelligence platform has formally catalogued it.
Stored Cross-Site Scripting in the Express Payment For Stripe WordPress plugin (versions up to and including 1.28.0) allows authenticated contributors to permanently embed malicious JavaScript into site pages via the unsanitized 'type' attribute of the [stripe-express] shortcode. The root defect is in register_shortcode() within wp-stripe-shortcodes.php, where the attribute value is concatenated directly into an HTML attribute without passing through WordPress's esc_attr() or any equivalent escaping function. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV; however, the CVSS Changed Scope (S:C) signals that successful exploitation escapes the contributor's own security context and can compromise higher-privileged users such as administrators who visit the injected page.
Payment forgery in the Event Monster WordPress plugin (versions through 2.1.0) allows unauthenticated remote attackers to generate valid paid event tickets without completing any actual payment transaction. The AJAX handler wp_ajax_nopriv_em_capture_payment accepts client-supplied transaction ID, amount, and payment status values at face value, with no PayPal API verification, no nonce, and no capability check - meaning any HTTP client can POST fabricated payment confirmation data and receive a fully authenticated QR-coded ticket via email. No public exploit has been identified at time of analysis, but the attack requires no authentication and minimal technical skill, making it a meaningful financial fraud risk for any site using this plugin for paid events.
Cross-Site Request Forgery in the Frontend User Notes WordPress plugin (all versions through 2.1.1) allows unauthenticated remote attackers to trick an authenticated victim into overwriting their own note content. The funp_ajax_modify_notes function lacks proper nonce validation, enabling forged requests to invoke wp_update_post() on behalf of the logged-in victim. No public exploit has been identified at time of analysis, and the attack's impact is bounded by ownership enforcement: only the tricked victim's own notes can be altered, not those of arbitrary third-party users.
Time-based blind SQL injection in the Quiz and Survey Master (QSM) WordPress plugin versions through 11.1.2 allows authenticated administrators to extract sensitive database contents via the unsanitized 'order' parameter in the quiz API. The vulnerability resides in class-qsm-quiz-api.php at multiple query construction points (lines 126, 131, 164, 243, 374), where user-supplied sort order values are concatenated directly into SQL without prepared statements. Critically, if the plugin's secret key is exposed, this privilege barrier drops, enabling lower-privileged users to exploit the same injection path. No public exploit code or CISA KEV listing is identified at time of analysis.
Arbitrary Media Library attachment deletion in the Charitable donation plugin for WordPress (versions through 1.8.11.1) is achievable by any authenticated user with Subscriber-level access or above via a two-stage IDOR exploit chain in the profile avatar update flow. The attack chains two weak points: Charitable_Data_Processor::process_picture() returns a raw user-supplied attachment ID verbatim when no file is uploaded, allowing an attacker to poison their own avatar user meta with any arbitrary attachment ID, which save_avatar() then blindly passes to wp_delete_attachment() without verifying that the target attachment belongs to the requesting user. No public exploit has been identified at time of analysis, and exploitation is constrained to authenticated users on sites with active user registration.
Arbitrary directory deletion in the WPvivid Backup & Migration WordPress plugin (all versions through 0.9.128) allows authenticated administrators to remove arbitrary server-side folders by submitting a crafted path to the delete_cancel_staging_site() function. Impact is confined to integrity and availability - server files and directories can be irreversibly destroyed - with no confidentiality exposure. No public exploit identified at time of analysis, and exploitation requires high-privilege WordPress credentials, substantially limiting real-world risk.
Authorization bypass in the Alba Board WordPress plugin (all versions through 2.1.3) exposes private project card data to unauthorized access. Despite the CVSS vector assigning PR:L (low privileges required), the vulnerability description explicitly reveals a more severe exploitation path: the AJAX handler is registered under the wp_ajax_nopriv_ hook, and the required nonce is broadcast to all site visitors via wp_localize_script on any page rendering the [alba_board] shortcode - enabling fully unauthenticated access to private alba_card records including titles, descriptions, assignees, due dates, tags, and comments. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, though the vulnerable code path is publicly browsable in the WordPress plugin repository.
Authenticated remote code execution in the Admin Columns WordPress plugin (versions through 7.0.18) allows Contributor-level users to inject serialized PHP objects via post meta and trigger a bundled POP gadget chain through the Laravel SerializableClosure component. Reported by Wordfence with CVSS 8.8, no public exploit identified at time of analysis, though the low privilege barrier and bundled gadget chain make weaponization straightforward for any researcher with plugin access.
Remote code execution in WP Captcha PRO (premium version of the Advanced Google reCAPTCHA WordPress plugin) through version 5.38 allows authenticated Subscriber-level attackers to upload arbitrary files, including PHP webshells, by abusing the licensing module's save_ajax() capability check and the unrestricted archive extraction in sync_cloud_protection(). No public exploit identified at time of analysis, but the CVSS 8.8 rating and trivial Subscriber-level prerequisite - common on sites with open registration - make this a high-priority WordPress ecosystem flaw. Wordfence is the original reporter and primary intelligence source.
Authentication bypass in WP Captcha PRO (and the free Advanced Google reCAPTCHA plugin sharing the same slug) for WordPress versions through 5.38 allows authenticated Subscriber-level users to log in as any account, including Administrator. The flaw chains a missing capability check in the ajax_run_tool() AJAX handler with the create_temporary_link tool that issues passwordless login links for arbitrary users, enabling full account takeover. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Unauthenticated administrator account takeover in the Hippoo Mobile App for WooCommerce WordPress plugin (versions ≤ 1.9.4) allows remote attackers to reset any user's password - including the site administrator's - by sending a single crafted POST request to a cloned REST route. The root cause is a logic conflation in HippooPermissions::get_user_permissions() that returns the same null sentinel for both administrators and anonymous visitors, which is then interpreted as full admin access. No public exploit identified at time of analysis, but the trivial exploitation path and 9.8 CVSS score make this an urgent patch priority for any WordPress site running the plugin.
Backdoor/malicious code implant in the ShapedPlugin Product Slider Pro for WooCommerce WordPress plugin (versions before 3.5.3) allows remote unauthenticated attackers full compromise of the hosting site with CVSS 10.0 and a scope-changing vector. The Patchstack reference characterizes this as a backdoor vulnerability, and no public exploit has been identified at the time of analysis, though the trivial nature of supply-chain implants means abuse is plausible. Notably, the vendor patched the existing release without bumping the version number, so administrators cannot reliably tell whether their installation is fixed.
Server-Side Request Forgery in the Essential Blocks WordPress plugin (versions through 6.1.3) allows authenticated users with Author-level access or higher to coerce the WordPress server into making arbitrary outbound HTTP requests via the save_ai_generated_image() function. The flaw enables attackers to probe internal network services, read responses from internal endpoints, and potentially modify state on services that trust requests from the WordPress host. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stored cross-site scripting in Shopware's media manager allows any authenticated admin to upload an unsanitized SVG file containing arbitrary JavaScript that executes in the Shopware domain context when the file is accessed by any user. The upload pipeline - spanning MediaUploadController, FileSaver, and TypeDetector - classifies SVG as a valid ImageType with VECTOR_GRAPHIC flag but performs zero content sanitization: no DOMPurify, no enshrined/svg-sanitize, no strip_tags on SVG XML content. In an e-commerce context this enables admin account takeover, customer data exfiltration, and malicious plugin installation. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV.
WordPress Plugin Google Review Slider 6.1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post_title. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Soliloquy Lite 2.5.6 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by inserting script tags in the post title. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Theme Zoner Real Estate 4.1.1 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through the Address input field when. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hc_ajax_save_option. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin ad manager wd 1.0.11 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the path parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection in MasterStudy LMS Pro Plus for WordPress exposes database contents to authenticated instructors through the unsanitized 'columns' parameter, affecting all versions up to and including 4.8.20. The vulnerability stems from insufficient input escaping and absent parameterized query preparation, enabling authenticated attackers with at minimum instructor-level access to append arbitrary SQL to existing queries and extract sensitive data. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and high confidentiality impact make this a meaningful risk for multi-tenant LMS deployments where instructors are semi-trusted external parties.
Unauthenticated information disclosure in the SP Project & Document Manager WordPress plugin (versions up to and including 4.71) allows remote attackers to enumerate file metadata and obtain download links for arbitrary files stored within project folders. The flaw stems from a broken authorization gate in the view_file AJAX handler where a negated nonce check is OR-chained with permission checks, causing the entire condition to evaluate true when no valid nonce is supplied. No public exploit identified at time of analysis, and the CVSS 7.5 score reflects confidentiality-only impact with no integrity or availability consequences.
Cross-Site Request Forgery in the EmergencyWP WordPress plugin (all versions ≤1.4.2) permits unauthenticated attackers to overwrite critical plugin settings by tricking an authenticated site administrator into triggering a forged request. The missing nonce validation in the form_settings_ui settings save handler exposes controls that include WordPress role capability manipulation (add_cap/remove_cap), a data-erasure-on-uninstall flag, life-check timing, and the mandator notification email - settings whose combined impact exceeds the CVSS 4.3 baseline. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the role-capability attack surface warrants prioritized patching for sites relying on this plugin.
Stored Cross-Site Scripting in the Passeum Ticketing WordPress plugin (all versions ≤ 1.0) allows authenticated administrators on multisite installations to load attacker-controlled JavaScript and CSS on every frontend page that renders a plugin shortcode. The attack path runs through the plugin's `shop_name` setting: the `validate_shop_name()` function accepts any non-empty string, and `get_shop_url()` passes URLs beginning with 'http' directly to `wp_register_script()` and `wp_register_style()` without sanitization, causing the site to enqueue external resources from an attacker-controlled domain for all site visitors. No public exploit identified at time of analysis, and the vulnerability is explicitly scoped to WordPress multisite environments - single-site administrators are unaffected because they already hold the `unfiltered_html` capability.
Unauthenticated SQL injection in the ARMember Premium WordPress plugin (versions up to and including 7.3.1) allows remote attackers to extract sensitive database contents by injecting crafted values into the 'order' and 'orderby' parameters of the arm_directory_paging_action AJAX endpoint. With CVSS 7.5 reflecting confidentiality-only impact and no public exploit identified at time of analysis, the bug is reachable without credentials but EPSS data was not provided to estimate exploitation likelihood.
SQL Injection in ARMember Premium WordPress membership plugin (versions up to and including 7.3.1) enables authenticated attackers with Subscriber-level access to extract sensitive database contents via the `get_private_content_data` AJAX action. The flaw resides in the `sSortDir_0` parameter, which is concatenated unsanitized into an ORDER BY clause - a notoriously difficult injection point to parameterize, requiring explicit allowlist validation that is absent here. No public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog; however, the low authentication bar (subscriber accounts) and network-accessible attack vector make it a meaningful risk where the addon is active.
Account takeover in the ARMember Premium WordPress plugin through version 7.3.1 stems from the plugin storing a plaintext password reset key in the `arm_reset_password_key` user meta field alongside WordPress core's properly hashed token. When chained with the companion SQL injection issues CVE-2026-5073/5074, an unauthenticated attacker can extract the plaintext key and invoke the plugin's `armrp` reset action to set a new password for any user, including administrators. No public exploit identified at time of analysis, though the chain is described in detail by Wordfence and the CVSS 9.8 rating reflects unauthenticated remote compromise.
Remote code execution in the Content Visibility for Divi Builder WordPress plugin (versions ≤ 4.02) allows authenticated attackers with Contributor-level access or higher to execute arbitrary PHP on the server by abusing the 'cvdb_content_visibility_check' parameter of the 'et_pb_text' shortcode. The flaw is a CWE-94 code injection issue disclosed by Wordfence and carries a CVSS 3.1 score of 8.8. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Authentication bypass in the WP Swings Wallet System for WooCommerce plugin (versions up to and including 2.7.5) allows an authenticated low-privileged attacker to abuse the password recovery flow as an alternate channel to take over other accounts. Successful exploitation yields high impact to integrity (account/wallet compromise) with limited confidentiality exposure, and no public exploit has been identified at time of analysis.
Stored cross-site scripting in the Tiled Gallery Carousel Without JetPack WordPress plugin (versions up to and including 3.1) allows authenticated attackers with contributor-level access to inject persistent malicious JavaScript via the 'data-image-title' parameter. The injected script executes in victims' browsers each time an affected gallery page is visited, enabling session theft, credential harvesting, or malicious redirects against site visitors and administrators. No public exploit or CISA KEV listing has been identified at time of analysis, though the low privilege barrier (contributor access) broadens the potential attacker pool on sites with open registration.
Cross-Site Request Forgery in the Laiser Tag WordPress plugin (versions up to and including 1.2.5) allows unauthenticated remote attackers to overwrite critical plugin settings - including API keys, tag blacklists, relevance thresholds, batch sizes, and tagging toggles - by tricking a logged-in site administrator into clicking a crafted link. The root cause is missing or incorrect nonce validation on the addOptionsPageFields function, as identified by Wordfence and corroborated by source references pointing to Tagging.php and adminOptionPage.php in the plugin's trunk. No public exploit code or CISA KEV listing has been identified at time of analysis, keeping real-world exploitation opportunity relatively constrained by the required administrator interaction.
Cross-Site Request Forgery in the Remove Meta Boxes Per User Role WordPress plugin (all versions ≤1.01) enables unauthenticated remote attackers to modify or reset per-role admin dashboard meta box visibility settings by tricking an authenticated site administrator into clicking a crafted link. The vulnerability stems from absent or incorrect nonce validation on the plugin's settings page, which is the standard WordPress anti-CSRF mechanism. No public exploit has been identified and the issue is not listed in CISA KEV; real-world impact is limited to low-integrity administrative configuration tampering.
Reflected Cross-Site Scripting in the rognone plugin for WordPress (versions up to and including 0.6.2) allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted link containing a malicious 'a' parameter. The vulnerability originates in header.php at line 74, where user-supplied input is reflected into page output without sanitization or escaping. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not provided in source intelligence.
Cross-Site Request Forgery in the Remove NoFollow Commenter URL WordPress plugin (all versions ≤ 1.0) allows unauthenticated remote attackers to modify the plugin's comment-display settings by tricking a logged-in site administrator into clicking a crafted link. The vulnerability stems from absent or incorrect nonce validation in the `gmz_comment_settings_save` function, meaning the plugin accepts state-changing POST requests without verifying they originated from a legitimate admin session. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS score of 4.3 (Medium) reflects the required user interaction as a meaningful limiting factor.
Stored Cross-Site Scripting in the Word Replacer WordPress plugin (versions up to and including 0.4) allows authenticated attackers with Administrator-level access to persist arbitrary JavaScript payloads via the 'replacement' parameter, which subsequently execute in the browsers of any user visiting an affected page. Reported by Wordfence, the root cause is insufficient input sanitization and output escaping in word-replacer.php at multiple code locations (lines 191, 230, 339, 343). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in the Tectite Forms WordPress plugin (all versions through 1.3) allows unauthenticated remote attackers to modify plugin settings by inducing an authenticated administrator to click a crafted link. The vulnerable surface is the admin_init function, which lacks proper nonce validation (CWE-352), permitting forged requests to alter options such as tectite_forms_button. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in the DeMomentSomTres Shortcodes WordPress plugin (all versions through 1.1.1) allows authenticated attackers with contributor-level access to persistently inject arbitrary JavaScript into page content via the 'callout' shortcode's 'width' and 'align' attributes. The injected payload executes in the browsers of any subsequent visitor to the affected page, enabling session hijacking, credential theft, or malicious redirects scoped to the WordPress front-end. No public exploit has been identified at time of analysis, and the CVSS Scope:Changed rating reflects that the impact extends beyond the attacker's own session to affect other users.
Stored Cross-Site Scripting in the Easy Cart WordPress plugin (all versions up to and including 1.8) permits authenticated Contributor-level users to inject persistent JavaScript payloads via the 'add_to_cart' shortcode. The vulnerability originates in the ectp_add_to_cart() function at plugin.php lines 280-287, where shortcode attributes such as 'product_name', 'product_desc', 'itemid', 'product_qty', and 'price' are processed with sanitize_text_field()-a function that strips HTML tags but does not escape double-quote characters-before being embedded in double-quoted HTML attributes. This allows attribute context breakout and arbitrary event handler injection that executes against any visitor loading the affected page. No public exploit code or CISA KEV listing has been identified at time of analysis.
Reflected Cross-Site Scripting in the hiWeb Migration Simple WordPress plugin (all versions up to and including 2.0.0.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'new_domain' parameter rendered in template/force-re-migrate-confirm.php. Exploitation requires tricking a logged-in WordPress administrator into clicking a crafted URL, at which point the injected script executes in the administrator's browser session under the site's origin - a Changed scope per CVSS - enabling potential account takeover or unauthorized admin-level actions. No public exploit code or CISA KEV listing has been identified at time of analysis; EPSS data was not provided in source intelligence.
Cross-site request forgery in the Google Plus One Bottom WordPress plugin (all versions ≤ 0.0.2) enables unauthenticated remote attackers to overwrite plugin settings stored in the WordPress database by tricking an authenticated administrator into clicking a crafted link. The root cause is missing nonce validation in the googlePlusOneAdmin function, exposing the plusone-lang, plusone-callback, and plusone-url options to unauthorized modification. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the social-engineering dependency is the primary limiting factor rather than any technical barrier.
Stored Cross-Site Scripting in the WP Nano AD WordPress plugin (all versions through 1.31) allows authenticated administrators to inject persistent malicious scripts via the 'blogrole_link' parameter in add_links.php, with execution occurring in any victim's browser upon visiting the compromised page. Exploitation is restricted to WordPress multi-site networks or single-site installations where the unfiltered_html capability has been explicitly disabled - notably a configuration common in security-hardened deployments. No public exploit identified at time of analysis, though a public security writeup by BFS-Lab has been published on GitHub, increasing the likelihood of weaponized attempts against qualifying environments.
Reflected Cross-Site Scripting in the rognone WordPress plugin (versions ≤ 0.6.2) exposes visitors of affected sites to arbitrary JavaScript injection via the unsanitized 'mode' URL parameter in header.php. Unauthenticated remote attackers (PR:N per CVSS) can deliver a malicious link that, when clicked by a victim, executes attacker-controlled scripts in the victim's browser within the changed scope (S:C) of the WordPress application context. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis, though the trivial attack complexity (AC:L) and zero authentication requirement lower the bar for opportunistic abuse.
Cross-Site Request Forgery in the BirdSeed WordPress plugin (all versions up to and including 2.2.0) enables unauthenticated remote attackers to overwrite the plugin's API token by tricking an authenticated site administrator into clicking a crafted link. The vulnerability stems from birdseed_plugin_settings_page() accepting the birdseed_token GET parameter and persisting it via update_option() with no nonce verification, bypassing WordPress's standard CSRF protection entirely. No public exploit has been identified at time of analysis; CVSS rates this Medium (4.3) reflecting narrow integrity impact limited to token replacement.
Stored Cross-Site Scripting in the FPW Category Thumbnails WordPress plugin (all versions ≤1.9.5) allows authenticated attackers with Subscriber-level access to plant persistent JavaScript payloads via the unsanitized 'id' parameter of the 'fpw_fs_get_file' AJAX action. The injected script executes in an administrator's browser upon visiting the plugin's settings page, creating a privilege-escalation pathway from low-privileged subscriber to effective site administrator. No public exploit has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the low attack complexity and Changed Scope signal meaningful risk in open-registration WordPress environments.
Missing authorization controls in the JTL-Connector for WooCommerce WordPress plugin (all versions through 2.4.1) allow authenticated attackers holding only Subscriber-level access to invoke three unprotected server-side actions: modifying arbitrary plugin settings, downloading a ZIP archive of developer log files, and deleting those logs. The root cause is the complete absence of WordPress capability checks and nonce verification on the admin_post_settings_save_woo-jtl-connector handler and the wp_ajax_downloadJTLLogs and wp_ajax_clearJTLLogs AJAX handlers. No public exploit has been identified at time of analysis, and no patched version is confirmed in the available data.
Stored Cross-Site Scripting in the ZeM STL WordPress plugin (all versions through 1.0) allows authenticated contributors to plant persistent malicious scripts in page content via unsanitized [zemstl] shortcode attributes. Wordfence confirmed that the 'url', 'color', and 'bgcolor' shortcode parameters are directly interpolated into HTML attribute context within zemstl.php without passing through WordPress's esc_attr() or any equivalent escaping function, as evidenced by references to the vulnerable source lines (L74, L103, L104, L107). Any site visitor who loads a page containing the injected shortcode will silently execute the attacker's script, enabling session hijacking, credential theft, or privilege escalation against higher-privileged users including administrators. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis.
Two-factor authentication bypass in the Really Simple Security WordPress plugin before 9.5.10.1 allows attackers who already possess a valid username and password to hijack a fully authenticated WordPress session without completing the email OTP challenge. Two REST endpoints in the plugin's 2FA flow fail to enforce the second-factor challenge, effectively neutralizing the MFA protection the plugin is marketed to provide. Publicly available exploit code exists (WPScan), and a vendor patch has been released.
Account takeover in the Kirki Freeform Page Builder WordPress plugin (versions 6.0.0 through 6.0.6) allows unauthenticated remote attackers to hijack any registered account, including administrators, by redirecting password reset links to attacker-controlled email addresses. The flaw stems from the plugin honoring an arbitrary email value supplied alongside a valid username in password reset requests, breaking the trust binding between account and recovery destination. No public exploit identified at time of analysis, but the trivial nature of the bug and Wordfence's published advisory make weaponization straightforward.
Stored Cross-Site Scripting in the Simple Custom Login Page WordPress plugin (versions ≤ 1.0.3) allows authenticated administrators to inject arbitrary CSS rules into wp-login.php, which is then rendered for every unauthenticated visitor to the login page. The changed scope (S:C in CVSS) is the critical risk amplifier: a single administrator-level compromise or malicious admin can silently overlay phishing UI elements on the WordPress login page, harvesting credentials from any user who subsequently visits. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in the Auto Image Attributes From Filename With Bulk Updater WordPress plugin (all versions through 4.9) allows authenticated attackers holding Author-level access or higher to persist arbitrary JavaScript payloads via unsanitized attachment metadata fields. The injected scripts execute in the browser of any user who subsequently accesses the affected page, with Changed scope (S:C) indicating the payload crosses the plugin's trust boundary into the broader WordPress session context. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Slider Revolution, a widely deployed WordPress visual slider plugin, exposes an unauthorized plugin-deactivation capability to any authenticated user holding a Contributor-level role or above, across two major release branches. The root cause is a missing authorization check (CWE-862) that fails to verify whether the requesting user holds the WordPress capability required to manage installed plugins. Although the CVSS score of 4.3 reflects the authentication prerequisite, real-world impact in multi-user or open-registration WordPress environments can significantly exceed the score: a malicious contributor could selectively deactivate security plugins - firewalls, login hardeners, or audit loggers - clearing the path for follow-on attacks. No active exploitation has been confirmed (no CISA KEV listing) and no public POC has been identified at time of analysis.
Slider Revolution WordPress plugin versions 7.0.0 through 7.0.14 exposes raw social media API credentials - including Instagram OAuth tokens, Flickr API keys, YouTube Data API keys, and Facebook App IDs - to any authenticated user holding Contributor-level access or higher. The flaw stems from insufficient authorization controls on the 'slider.get.full' AJAX action, which returns full slider configuration data without verifying whether the requesting user should have access to sensitive credential fields. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, but the real-world impact of credential theft for active social media integrations exceeds what the medium CVSS score alone suggests.
WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authorization bypass in Advanced Custom Fields (ACF®) plugin for WordPress versions up to and including 6.8.1 allows unauthenticated remote attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance. The attack requires no credentials, no user interaction, and low complexity - exploitable by anyone who can reach a page rendering a public-facing ACF front-end form. This vulnerability is not listed in the CISA KEV catalog and no public exploit code has been identified at time of analysis, but the zero-barrier attack path makes content integrity on exposed WordPress sites a real concern.
Authenticated privilege escalation to administrator in the Simple History WordPress plugin (versions through 5.26.0) allows a Subscriber-level user to read password-reset email contents logged by SimpleUserLogger and hijack admin accounts. The react/unreact event endpoints reuse a permission callback that only checks for a logged-in user, exposing full event context including reset URLs and keys. No public exploit identified at time of analysis, and exploitation requires that an administrator previously enabled the non-default experimental features option.
Remote code execution in the Spectra Gutenberg Blocks WordPress plugin (versions up to and including 2.19.25) allows authenticated users with Contributor-level access or higher to execute arbitrary PHP on the server by abusing the plugin's block rendering logic. The flaw stems from the plugin trusting attacker-controlled block attributes to register a fake uagb/-prefixed block type with an arbitrary render_callback, which is then invoked via call_user_func() when a second block of the same type is rendered in the same request. No public exploit identified at time of analysis, but the low privilege bar (Contributor is commonly granted to untrusted guest authors) makes this a high-priority issue for sites with open registration.
SQL injection in the GEO my WP WordPress plugin (versions ≤4.5.5) allows unauthenticated remote attackers to append arbitrary SQL via the 'swlatlng' and 'nelatlng' query-string parameters, enabling extraction of sensitive database contents. The flaw stems from reading parameters directly from $_SERVER['QUERY_STRING'] with parse_str(), bypassing WordPress's wp_magic_quotes sanitization. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV, but exploitation requires only a public page hosting the Posts Locator results shortcode.
Unauthenticated arbitrary user deletion in the WP Travel Pro WordPress plugin (versions through 10.6.0) allows remote attackers to delete any WordPress account, including administrators, via an exposed REST API endpoint. The flaw stems from a broken permission callback combined with missing role validation, producing a CVSS 9.1 integrity/availability impact. No public exploit identified at time of analysis, but the trivial nature of the bug and Wordfence's disclosure make weaponization straightforward for any actor reading the advisory.
Unauthenticated modification of SEO metadata settings is possible in the Rank Math SEO WordPress plugin through version 1.0.271, stemming from a missing authorization check on the REST API function `update_site_editor_homepage`. Remote, unauthenticated attackers can overwrite homepage title, meta descriptions, breadcrumb labels, and social media metadata, enabling SEO poisoning campaigns and injection of malicious content into breadcrumb components rendered sitewide. No public exploit code or CISA KEV listing has been identified at time of analysis, though the attack is low-complexity and requires no authentication.
Payment bypass in the Contact Form 7 - PayPal & Stripe Add-on for WordPress (all versions up to and including 2.4.9) permits unauthenticated attackers to complete arbitrary pending orders without tendering the required payment amount. The IPN handler correctly authenticates PayPal callbacks via the `cmd=_notify-validate` round-trip, but then blindly trusts the attacker-controlled `invoice` field and passes it to `cf7pp_complete_payment()` without verifying that `mc_gross`, `mc_currency`, or `receiver_email` in the IPN match the stored order values - resulting in full order completion triggered by a minimal real payment. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, but the direct financial incentive and low attack complexity elevate real-world priority beyond what the medium CVSS score alone implies.
SQL Injection in the Frontend Admin by DynamiApps WordPress plugin (all versions through 3.28.28) allows authenticated administrators to extract arbitrary data from the WordPress database via the 'order' parameter in the payments list view. The vulnerability stems from unsanitized concatenation of user-supplied input into a raw SQL query, reachable only when a valid 'orderby' parameter is also present in the same request. No public exploit has been identified at time of analysis, and the high privilege requirement (administrator-level) substantially limits the realistic attacker pool, keeping this a medium-severity, low-urgency finding despite the AV:N classification.
Cross-Site Request Forgery in the Media Library Assistant WordPress plugin versions 3.35 and earlier allows remote attackers to coerce authenticated administrators into executing bulk delete, edit, or purge actions against plugin settings and attachment metadata. The flaw stems from missing nonce checks on bulk action handlers across multiple settings tabs and was reported by Wordfence. There is no public exploit identified at time of analysis and no CISA KEV listing, but the high CVSS of 8.1 reflects significant integrity and availability impact if a logged-in admin is lured to a malicious page.
Stored cross-site scripting in the Link Whisper Free WordPress plugin (versions through 0.9.0) allows unauthenticated remote attackers to inject persistent JavaScript via the user_id parameter, which executes in the browser of any user who visits an affected page. The flaw stems from insufficient input sanitization and output escaping in the plugin's settings handler, and no public exploit identified at time of analysis. With a CVSS 7.2 score reflecting Scope:Changed impact, the bug is notable because exploitation requires no authentication despite affecting an administrative-adjacent plugin component.
Authentication bypass in the OTP Login With Phone Number, OTP Verification WordPress plugin versions 1.8.50 through 1.8.60 allows unauthenticated remote attackers to log in as any user - including administrators - whose phone number is stored in user meta. The flaw stems from the Firebase OTP verification flow failing to bind the verified Firebase session to the phone number supplied in the request, so attackers can verify their own phone via Firebase and then submit a victim's number to be authenticated as that victim. No public exploit identified at time of analysis, but the trivial logic flaw and CVSS 9.8 score make this a critical priority.
Stored Cross-Site Scripting in The Plus Addons for Elementor WordPress plugin (versions up to and including 6.4.15) allows authenticated contributor-level attackers to persistently inject malicious scripts via the carousel_direction parameter of the Carousel Anything widget. The root cause is an unquoted HTML attribute context in the render() function where esc_attr() is applied but insufficient - attribute injection is still possible by appending space-separated event handlers to the bare dir= attribute. Injected payloads persist in the database and execute in any visiting user's browser, including administrators, enabling session hijacking or privilege escalation; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in the Simple Divi Shortcode WordPress plugin (versions up to and including 1.2) allows authenticated attackers with contributor-level access to permanently embed arbitrary JavaScript into WordPress pages via the unsanitized 'id' parameter of the [showmodule] shortcode. The injected payload executes in the browser of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or malicious redirects within the victim's authenticated session context. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Stored Cross-Site Scripting in the Automotive Car Dealership Business WordPress Theme (all versions through 13.4.1) enables authenticated contributors to permanently embed arbitrary JavaScript via the 'project_details' custom field in Portfolio Items. Because the CVSS scope is Changed (S:C), injected scripts execute in the victim's browser context - not just the WordPress admin panel - enabling session hijacking, credential harvesting, or drive-by malware delivery against site visitors. No public exploit code has been identified at time of analysis, though contributor-level access is routinely available in multi-author dealership or agency WordPress deployments, making the authentication barrier practically low.
Authenticated PHP Object Injection in the WooCommerce Infinite Scroll and Ajax Pagination WordPress plugin (versions up to and including 1.8) allows Subscriber-level users to deserialize attacker-controlled data via the 'settings' parameter of the import_settings function. While the plugin itself contains no usable POP chain, the presence of any vulnerable gadget in another installed plugin or theme can escalate this into arbitrary file deletion, sensitive data disclosure, or remote code execution. There is no public exploit identified at time of analysis, but the low privilege barrier and ubiquity of WordPress gadget chains make this a meaningful risk for multi-plugin sites.
Remote unauthenticated privilege escalation in the WP Maps Pro WordPress plugin (all versions through 6.1.0) allows attackers to create a new administrator account and authenticate as that user, resulting in complete site takeover. The flaw stems from an AJAX handler exposed to unauthenticated users and protected only by a publicly-embedded nonce, making the access check ineffective. No public exploit identified at time of analysis, but the trivial nature of the bug (default-enabled handler, no authentication, magic login URL returned to the caller) makes weaponization straightforward once details circulate.
Stored cross-site scripting in the StatCounter - Free Real Time Visitor Stats WordPress plugin (versions up to and including 2.1.1) allows authenticated users with Author-level access or higher to inject arbitrary JavaScript into post pages by setting a crafted WordPress profile nickname. The unescaped nickname is embedded directly into a JavaScript string context within a <script> block rendered on every post page via the wp_head hook, causing the payload to execute in the browser of any visitor - including unauthenticated users - who loads a post authored by the attacker. No public exploit has been identified at time of analysis, but the low attack complexity (AC:L) and broad exposure surface (every post page on affected sites) make this a practical risk wherever sites permit untrusted Author-level accounts.
Unauthenticated information disclosure in the Cloudways Breeze Cache plugin for WordPress (all versions ≤ 2.5.2) allows remote attackers to retrieve administrator-cached page content by supplying a forged session cookie. When the non-default 'Cache Logged-in Users' feature is active, the plugin resolves cached page files by parsing the username directly from the cookie value without verifying the WordPress HMAC signature, enabling any unauthenticated actor who knows or guesses a valid username to obtain that user's cached HTML output. Exposed data includes full content of private posts, Admin Bar markup, WordPress nonces, and other privileged interface elements. No public exploit has been identified and the vulnerability is not listed in CISA KEV; version 2.5.3 contains the fix.
Poll Maker WordPress plugin (versions ≤6.3.7) leaks the complete WP_User object - including bcrypt password hashes, email addresses, login names, registration dates, roles, and capabilities - through an AJAX endpoint that performs no nonce verification or capability check beyond confirming the requestor is logged in. Any subscriber-level authenticated user on an affected site can call the `ays_poll_get_user_information` action and retrieve user data that WordPress deliberately withholds from all of its standard interfaces, including the REST API. No public exploit has been identified at time of analysis, but the attack requires only a valid subscriber session and a single POST request, and the recovered bcrypt hash enables offline password-cracking attacks.
Stored Cross-Site Scripting in the Post Snippets WordPress plugin (≤4.0.19) allows authenticated administrators on multisite installations to inject persistent JavaScript into the post editor via a crafted import file, exploiting a commented-out quote-escaping routine in WPEditor.php. The injected payload executes silently in the browser of any administrator who subsequently opens any post editor page, enabling session hijacking or further lateral movement within the multisite network. No public exploit identified at time of analysis; real-world impact is bounded by the Administrator-level access prerequisite and the explicit exclusion of single-site WordPress installations.
Unauthenticated privilege escalation in the Advanced Custom Fields: Extended (ACFE) WordPress plugin through version 0.9.2.5 allows remote attackers to create new administrator-level accounts on vulnerable sites. The flaw stems from the after_validate_save_post() function trusting an attacker-controlled POST parameter to bypass role allow-list and capability validation when a public ACFE frontend form with a Create User action is exposed. With a CVSS 9.8 and no public exploit identified at time of analysis, the vulnerability presents a direct site-takeover path on affected configurations.
Stored Cross-Site Scripting in the Shariff Wrapper WordPress plugin (all versions ≤ 4.6.20) allows authenticated Contributors to inject persistent JavaScript payloads via the 'headline' parameter of the [shariff] shortcode, which then execute in any visitor's browser upon page load. The Changed scope (S:C in CVSS) means the injected payload escapes the plugin's context and runs inside victim browsers across the full WordPress front-end, enabling session theft, credential harvesting, or drive-by redirection. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the low attack complexity and persistent nature of stored XSS make it a meaningful risk on multi-author or open-registration WordPress installations.
Unauthenticated privilege escalation in the Frontend Admin by DynamiApps WordPress plugin (versions up to and including 3.29.2) allows remote attackers to create administrator accounts by submitting a crafted form payload. The flaw stems from the plugin trusting an attacker-supplied form definition passed via $_POST['_acf_form'] as an array, which bypasses the legitimate server-side form lookup and allows the role field's allowed values to be spoofed. No public exploit identified at time of analysis, but the vulnerability is reported by Wordfence and is straightforwardly weaponizable given the documented logic flaw.
Missing authorization on the bulk appointments REST API endpoint in Simply Schedule Appointments WordPress plugin (all versions up to and including 1.6.11.8) permits unauthenticated mass modification and disclosure of customer appointment data. The flaw is compounded by a static, user-independent nonce embedded in the HTML source of any page rendering the [ssa_booking] shortcode, meaning a single anonymous page visit yields a credential sufficient to target every appointment in the system. An attacker can overwrite customer PII, alter payment status, and hijack meeting URLs across all bookings, or enumerate full customer records via the bulk endpoint response - no account or session required. No public exploit code and no CISA KEV listing are identified at time of analysis.
Missing authorization on three AJAX handlers in the Visualizer: Tables and Charts Manager plugin for WordPress (by Themeisle) allows authenticated attackers with Subscriber-level access to create arbitrary chart posts and read or overwrite chart data owned by any site user, including administrators. The wp_ajax_visualizer-create-chart, wp_ajax_visualizer-edit-chart, and wp_ajax_visualizer-upload-data actions invoke renderChartPages() and uploadData() without any current_user_can() capability check; the nonce validation in uploadData() is further trivialized by the absence of an action argument, making it bypassable with any valid WordPress nonce. No public exploit has been identified at time of analysis, and a vendor-released patch is available in version 4.0.1.
Authorization bypass in the Equalize Digital Accessibility Checker WordPress plugin (all versions through 1.42.0) allows low-privileged authenticated users to corrupt accessibility audit integrity site-wide. Authenticated attackers holding subscriber-level accounts or higher can invoke AJAX endpoints in class-ajax.php to modify the ignore state, ignore reason, and ignore comment of any accessibility issue across the entire site, effectively hiding or dismissing audit findings they are not authorized to manage. The vulnerability is amplified by a mass-modification code path triggered when the largeBatch=true parameter is supplied, enabling bulk suppression of all findings sharing a common object identifier in a single request. No public exploit code or CISA KEV listing has been identified at time of analysis.
Time-based blind SQL injection in the Photo Gallery by 10Web WordPress plugin (all versions through 1.8.40) allows authenticated attackers holding contributor-level access or above to exfiltrate sensitive database contents by embedding a crafted shortcode in a post or draft. The `order_by` parameter is passed unsanitized into existing SQL queries, and the injected payload executes when the shortcode is rendered - targeting WordPress databases containing credentials, user PII, and site configuration. No public exploit code or CISA KEV listing has been identified at time of analysis, though the high confidentiality impact and low attack complexity make this a meaningful risk on any site with non-administrative contributors.
Sensitive information exposure in the PDF Embedder WordPress plugin (all versions through 4.9.3) allows authenticated attackers with contributor-level access or higher to extract configuration data via the enqueue_block_assets hook. The severity of impact is installation-dependent: on sites running the premium add-on with a saved license key, attackers can exfiltrate that license key; on Lite-only installations, exposed data is limited to non-sensitive viewer settings such as dimensions, toolbar preferences, and usage tracking. No public exploit identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Stored cross-site scripting in the HT Contact Form - Drag & Drop Form Builder for WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote attackers to inject persistent JavaScript via the 'file_upload' parameter, which gets rendered via dangerouslySetInnerHTML in the admin entry viewer. The injected payload executes in the browser context of any administrator who opens the affected submission, enabling session theft, privilege abuse, or arbitrary admin actions. No public exploit identified at time of analysis, and the issue requires the plugin's 'Store Submissions' setting to be enabled for the unsanitized values to persist.
Time-based blind SQL injection in the Simply Schedule Appointments WordPress plugin (versions up to and including 1.6.11.8) allows unauthenticated remote attackers to extract sensitive database contents through the 'append_where_sql' parameter on the /appointments/bulk REST endpoint. The endpoint's permission check accepts a public nonce embedded in the booking widget's frontend JavaScript, and a PUT request with a urlencoded body bypasses the plugin's blocklist by preventing PHP from populating the relevant superglobals. No public exploit identified at time of analysis, though Wordfence has documented the technique in detail.
Authorization bypass in the WordPress '3D Viewer - 3D Model Viewer - Augmented Reality - Virtual Try On' plugin (all versions through 2.0.1) permits any subscriber-level authenticated user to overwrite the plugin's entire settings store via an exposed REST API endpoint with no privilege validation. The flaw stems from CWE-862 (Missing Authorization) in the REST route handler at /wp-json/ar_try_on/v1/settings, allowing arbitrary data to be written directly to the ar_try_on_settings database option. No public exploit identified at time of analysis and this vulnerability is not listed in CISA KEV, but the low authentication bar (subscriber account) makes it accessible to a broad attacker pool on sites with open user registration.
Reflected Cross-Site Scripting in the Easy Updates Manager WordPress plugin (versions ≤ 9.0.20) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'paged' parameter in the pagination() function of MPSUM_List_Table.php. Successful exploitation requires social engineering a logged-in WordPress administrator into clicking a crafted URL, after which the injected script executes in the admin's browser under the site's origin - enabling session hijacking, unauthorized admin actions, or credential theft. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Arbitrary file deletion in the WP Contact Form 7 DB Handler WordPress plugin (versions up to and including 3.0) can be achieved by chaining CSRF, UNION-based SQL injection, and PHP object deserialization. A remote unauthenticated attacker who lures a logged-in administrator to a malicious page can delete arbitrary server files, including wp-config.php, which typically forces the site into a re-installation state and enables full site takeover. No public exploit identified at time of analysis, though Wordfence's detailed write-up effectively documents the exploit chain.
Unauthorized access in the SMTP2GO for WordPress plugin (all versions through 1.16.0) allows authenticated attackers holding only subscriber-level accounts to either wipe all SMTP delivery log records from the WordPress database or export a full CSV of those logs - exposing recipient addresses, sender addresses, message subjects, and API response data. The flaw stems from missing authorization checks on administrative actions within the plugin's WordPress admin class (WordpressPluginAdmin.php), meaning low-privileged users can invoke privileged log-management operations without restriction. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the low privilege bar makes this accessible to any registered WordPress user.
Authorization bypass in the Geo Mashup WordPress plugin (all versions ≤ 1.13.19) exposes sensitive plugin configuration data to unauthenticated remote attackers, including Google Maps API keys and GeoNames service credentials. The flaw (CWE-862 Missing Authorization) exists at specific request-handling code paths in geo-mashup.php (lines 515, 528, and 1525), where the plugin returns configuration data without verifying requester authorization. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is trivially exploitable with no authentication, no complexity, and no user interaction required against any affected installation.
Stored cross-site scripting in the a3 Lazy Load WordPress plugin (all versions through 2.7.6) allows authenticated Contributor-level users to inject persistent JavaScript into posts via a deliberately crafted <video> tag. Two compounding flaws drive the vulnerability: a regex bug in the _filter_videos() method that mishandles HTML attribute quoting, and unescaped output in the admin/views/form-data.php template. When any user - including a site administrator - views an affected post, the injected event-handler attributes (autofocus, onfocus) execute in the viewer's browser, enabling session hijacking or unauthorized privileged actions. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.