WordPress
Monthly
Insecure Direct Object Reference in Yoast SEO for WordPress (all versions through 26.5) allows authenticated Contributor-level users to read SEO metadata from any post on the site - including private posts, drafts, and content owned by other users - by supplying arbitrary post_id values to the Meta Search REST API endpoint. The flaw is a missing object-level authorization check: the plugin verified generic edit capability rather than per-post ownership. No public exploit identified at time of analysis, and EPSS stands at 0.03% (8th percentile), indicating low exploitation interest in the wild.
Stored Cross-Site Scripting in the Splide Carousel Block WordPress plugin (all versions ≤ 1.7.1) allows authenticated attackers with contributor-level access to inject persistent JavaScript via the 'url' block attribute, executing against any visitor of the affected page. The attack requires the malicious post to be published by an editor or administrator before the payload fires, adding a social-engineering or workflow-abuse dependency. With an EPSS of 0.03% (9th percentile) and no current CISA KEV listing, real-world exploitation risk is low but non-negligible on sites permitting untrusted contributors to submit content.
Uncontrolled resource consumption in the Simply Schedule Appointments WordPress plugin (all versions ≤ 1.6.11.5) enables unauthenticated remote attackers to exhaust PHP-FPM or mod_php worker processes, effectively rendering the WordPress site unavailable to legitimate users. The attack surface is a publicly accessible REST endpoint (/wp-json/ssa/v1/async) that directly passes a caller-controlled delay parameter into PHP's native sleep() function with no rate limiting or input sanitization. No public exploit code has been identified at time of analysis and EPSS is very low (0.05%, 15th percentile), suggesting limited opportunistic interest so far, though the trivially low attack complexity means any actor can attempt this with no tooling.
Stored Cross-Site Scripting in Style Kits for Elementor (analogwp-templates) WordPress plugin versions up to and including 2.5.0 allows authenticated attackers with contributor-level access to inject persistent JavaScript payloads via the kit title parameter at the /wp-json/agwp/v1/tokens/save REST API endpoint. The injected script executes in the browser of any user who subsequently visits an affected page, with a Changed scope (S:C) indicating cross-user impact that can reach administrators. No public exploit identified at time of analysis; EPSS of 0.03% (9th percentile) signals low observed exploitation probability, though the contributor-level barrier is low on multi-author WordPress sites.
Missing authorization in the AA-Team Woocommerce Envato Affiliates WordPress plugin (versions up to and including 1.2.1) lets a low-privileged authenticated user invoke functionality that is not properly gated by access-control checks, most likely modifying plugin settings as indicated by the Patchstack advisory slug. Because the action carries a high integrity impact, an attacker holding even a basic account can tamper with configuration that should be reserved for administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated broken access control in Magepeople Inc.'s Taxi Booking Manager for WooCommerce plugin (versions up to and including 2.0.1) exposes limited information to remote attackers without requiring any credentials or user interaction. The plugin fails to enforce proper authorization checks on one or more endpoints, classified under CWE-862 (Missing Authorization), allowing unauthenticated network requests to access functionality or data that should be restricted. No active exploitation is confirmed (not in CISA KEV) and EPSS stands at 0.03%, indicating low observed exploitation probability at time of analysis.
Cross-site request forgery in the Zoho Mail WordPress plugin (all versions before 1.6.2) enables a remote attacker to perform unauthorized, integrity-impacting actions on behalf of an authenticated WordPress user without their knowledge. The CVSS 5.7 medium score reflects high integrity impact with no confidentiality or availability exposure, requiring low-privilege victim authentication and user interaction. No public exploit code exists and no active exploitation has been identified; EPSS sits at the 1st percentile and SSVC classifies exploitation status as none.
Authentication bypass in ThemeHigh's Stripe Payment Gateway for WooCommerce (all versions through 5.0.7) allows unauthenticated remote attackers to exploit the plugin's password recovery flow to gain unauthorized access, affecting both data integrity and availability (CVSS 6.5). The flaw is classified as CWE-288 - Authentication Bypass Using an Alternate Path or Channel - meaning the plugin exposes an alternative code path that circumvents normal authentication controls. No public exploit code has been identified at time of analysis, and CISA has not added this to KEV, though SSVC flags the attack as automatable with partial technical impact.
Unauthenticated integrity compromise in WebToffee Smart Coupons for WooCommerce (versions before 2.3.0) allows remote attackers to bypass access controls and modify coupon-related data without authentication. The flaw stems from missing authorization checks (CWE-862) on plugin endpoints, and while no public exploit has been identified at time of analysis, SSVC flags the issue as automatable, meaning mass exploitation tooling could emerge rapidly. EPSS is currently low (0.03%) despite the network-exploitable nature of the bug.
Missing Authorization in Autoship Cloud for WooCommerce Subscription Products (versions through 2.14.0) allows authenticated low-privileged users to perform actions beyond their intended permission scope, resulting in unauthorized data modification. Reported by Patchstack, this CWE-862 flaw means the plugin fails to verify whether an authenticated user holds the correct capability before executing sensitive operations within the WooCommerce subscription management interface. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and the EPSS score of 0.03% (8th percentile) signals negligible automated exploitation activity at this time.
WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Contact Form Maker Plugin 1.12.20 contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through the FormMakerSQLMapping and. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Privilege escalation in the WishList Member WordPress plugin (versions through 3.30.1) allows authenticated subscriber-level attackers to extract the plugin's plaintext REST API Secret Key and use it to create administrator accounts, resulting in full site takeover. The flaw is reachable via a single AJAX call (ajax_get_screen) that lacks capability and nonce checks. No public exploit identified at time of analysis, but the attack path is fully described in the Wordfence advisory and requires only low-privileged authenticated access.
Privilege escalation in the Wishlist Member WordPress plugin (versions through 3.30.1) allows any authenticated user with Subscriber-level access or higher to update arbitrary plugin options, including the REST API Secret Key, leading to full site takeover. The flaw stems from a missing capability check in the Team_Accounts::save_settings function, and although no public exploit identified at time of analysis, the low authentication bar and chained admin-account creation path make it a high-priority risk on any WordPress site that permits public registration.
Unauthorized order manipulation and information disclosure in the WooCommerce PayPal Payments WordPress plugin (versions through 4.0.1) allows remote unauthenticated attackers to abuse two WC-AJAX endpoints (ppc-create-order and ppc-get-order) that lack authorization checks. By chaining these endpoints, an attacker can create a PayPal order against any victim's WooCommerce order ID and then retrieve full PayPal order details including payer information and shipping data. No public exploit identified at time of analysis, but the plugin's broad e-commerce deployment and trivial attack complexity make this a credible target.
Privilege escalation in the WishList Member WordPress plugin versions up to 3.30.1 allows authenticated low-privilege users to obtain the REST API Secret Key via the unprotected 'export_settings' AJAX endpoint and leverage it to register arbitrary administrator accounts. The CVSS 8.8 (High) rating reflects full confidentiality, integrity, and availability impact, and while no public exploit is identified at time of analysis, the discovery by Wordfence - a major WordPress security vendor - typically precedes broader exploitation against the large WordPress plugin ecosystem.
Privilege escalation in the Wishlist Member WordPress plugin (versions ≤3.30.1) allows authenticated Subscriber-level users to overwrite the plugin's REST API Secret Key and abuse it to create administrator accounts, leading to full site takeover. The flaw stems from a missing capability check on the generate_api_key hook handler. No public exploit identified at time of analysis, though Wordfence has published a threat-intel advisory.
Unauthorized playlist data disclosure in the AudioIgniter WordPress plugin (≤2.0.2) allows remote unauthenticated attackers to retrieve track metadata for non-public playlists via the /audioigniter/playlist/{id}/ rewrite endpoint. The handle_playlist_endpoint() function validates only post_type, omitting authentication, capability, and post_status checks, so draft, private, pending, and trashed playlists are reachable by ID enumeration. No public exploit identified at time of analysis; the issue is fixed in version 2.0.3 per the vendor commit.
Authorization bypass in MotoPress Hotel Booking plugin for WordPress (all versions through 6.0.1) allows unauthenticated remote attackers to overwrite or delete internal booking notes for any reservation by supplying an arbitrary booking ID. The root cause is a nonce that is unconditionally output into every public page's HTML via wp_localize_script under MPHB._data.nonces, meaning any site visitor - without an account or any prior interaction - can obtain a valid nonce and invoke the update-booking-notes AJAX action against any booking. No public exploit code has been identified at time of analysis, but the trivially accessible nonce makes this effectively zero-friction to abuse.
Blind Server-Side Request Forgery in FluentCRM (WordPress plugin, all versions ≤2.9.87) allows unauthenticated remote attackers to coerce the web server into issuing arbitrary HTTP requests via the 'SubscribeURL' parameter in SES bounce handling. Exploitation is constrained to sites where the SES bounce handling key has never been initialized - a default state that persists until an administrator visits the bounce configuration page. Successfully exploited, this flaw can be used to probe and interact with internal services (cloud metadata endpoints, intranet APIs, adjacent containers), achieving limited but meaningful confidentiality and integrity impact across a changed scope. No public exploit or CISA KEV listing exists at time of analysis, though source code references expose the vulnerable code path directly.
Sensitive information exposure in the Slider by Soliloquy WordPress plugin (versions ≤ 2.8.1) allows authenticated attackers with subscriber-level access to read draft slider content that should be restricted to administrators and editors. The flaw exists in the plugin's map_meta_cap implementation within posttype.php, where capability checks are insufficiently enforced, permitting low-privileged users to retrieve draft slider metadata including unpublished media URLs, captions, and full slider configuration details. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Unauthorized data disclosure in the Ditty - Responsive News Tickers, Sliders, and Lists WordPress plugin (versions 0 through 3.1.65) allows unauthenticated remote attackers to retrieve the full contents of non-public Ditty entries - including drafts, pending, scheduled, and disabled posts - by enumerating integer post IDs against the ditty_init AJAX endpoint. The flaw stems from the init_ajax() handler omitting the 'publish' post status check that its non-AJAX counterpart performs, exposing content administrators deliberately withheld from public view. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Cross-Site Request Forgery in the Widget Context WordPress plugin (all versions ≤ 1.3.3) allows unauthenticated attackers to modify widget visibility context settings stored in the WordPress options table by forging a POST request to /wp-admin/widgets.php. The root cause is missing or incorrect nonce validation in the save_widget_context_settings function, confirmed by Wordfence and corroborated by source code references at WidgetContext.php lines 91, 282, and 311. Exploitation requires social engineering a logged-in administrator into clicking an attacker-controlled link; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Authorization bypass in the Vedrixa Forms WordPress plugin (all versions through 1.1.1) permits authenticated attackers with subscriber-level access to overwrite the structure of any registration form by writing attacker-controlled data directly to the plugin's FORMS database table. The root cause is a missing authorization check on the form-saving AJAX handler, compounded by the fact that the required ajax-nonce is publicly exposed via wp_localize_script() on any page rendering a form shortcode - meaning any authenticated visitor can harvest the nonce without elevated privileges. The vulnerability is not listed in CISA KEV and no public exploit has been identified at time of analysis; however, on open-registration WordPress sites the subscriber-level barrier is trivially bypassed.
Unauthenticated privilege escalation in the Easy Elements for Elementor WordPress plugin through version 1.4.5 allows remote attackers to register administrator accounts by abusing an unchecked custom_meta parameter in the eel_register AJAX handler. The flaw lets attackers overwrite the wp_capabilities user meta after wp_insert_user() has assigned a safe role, granting full site takeover. No public exploit identified at time of analysis, and the CVSS vector's PR:L appears inconsistent with the description's explicit unauthenticated abuse path.
Cross-Site Request Forgery in the Alfie - Feed Plugin for WordPress (all versions ≤ 1.2.1) allows unauthenticated remote attackers to delete arbitrary plugin feed data by tricking a logged-in site administrator into clicking a crafted link. The missing nonce validation on the alfie_manage() function means any forged GET request containing the 'delete' parameter will be processed without verifying its origin, permanently removing records from the plugin's four database tables. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the low attack complexity and purely social-engineering prerequisite make it a credible threat against active WordPress sites using this plugin.
Missing authorization controls in the FastX WordPress theme allow authenticated Subscriber-level users to install and activate the PostX plugin without administrative approval. The vulnerability exists in two AJAX callback functions - 'ultp_install_callback' and 'ultp_activate_callback' - which fail to verify whether the requesting user holds sufficient capabilities before executing privileged plugin management operations. All versions up to and including 1.0.2 are affected per WPXPO's theme codebase on themes.trac.wordpress.org. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Reflected Cross-Site Scripting in WP Blockade - Visual Page Builder (all versions through 0.9.14) allows authenticated attackers holding at minimum a WordPress Subscriber-level account to inject arbitrary JavaScript into pages rendered in a victim's browser. The vulnerability exists in the render_shortcode_preview() function, which passes raw GET input through do_shortcode() without sanitization or output escaping - when the input is not a recognized shortcode, WordPress returns it verbatim, causing any embedded script to execute. Exploitation requires social engineering an authenticated user (e.g., an admin) into clicking a crafted link, but the low barrier to entry (Subscriber-level account) significantly widens the attacker pool on multi-user WordPress installations. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Unauthorized modification of weather display settings in the Location Weather WordPress plugin (versions ≤3.0.2) is achievable by any authenticated user with Contributor-level access or above, due to missing capability checks on the administrative functions `splw_update_block_options()` and `lwp_clean_weather_transients()`. Affected sites expose the protective nonce to all authenticated sessions via `wp_localize_script()` on the `init` hook, neutralizing what would otherwise be a secondary CSRF defense and making exploitation straightforward for any logged-in user. No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog; real-world impact is limited to disruption of weather widget display and cache integrity rather than data theft or code execution.
Stored Cross-Site Scripting in the KIA Subtitle WordPress plugin (all versions through 4.0.1) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts via the `before` and `after` attributes of the `the-subtitle` shortcode. Any site visitor loading a page containing the injected shortcode will execute the attacker's script in their browser context. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor) and network-accessible attack vector make this a meaningful risk for multi-author WordPress sites.
Reflected Cross-Site Scripting in the CBX 5 Star Rating & Review WordPress plugin (versions up to and including 1.0.7) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'page' parameter rendered in administrative log templates. Successful exploitation requires social engineering an authenticated administrator into clicking a crafted URL, limiting automated mass exploitation while remaining a realistic threat in targeted phishing campaigns against WordPress site owners. No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored Cross-Site Scripting in the Draft List WordPress plugin (versions up to and including 2.6.3) allows authenticated attackers with author-level access to inject arbitrary web scripts into draft post titles using attribute-breakout techniques. The critical aggravating factor is the changed scope (S:C in CVSS): the unescaped rendering path is specifically triggered for users who lack edit capabilities, meaning the payload executes against unauthenticated visitors and subscribers - not just privileged users. No public exploit has been identified at time of analysis, but Wordfence disclosure and the low privilege bar (author-level sufficient) make this a meaningful cross-user threat in any multi-author WordPress environment.
Unauthenticated SQL injection in the WP ERP Pro WordPress plugin (versions through 1.5.1) allows remote attackers to extract sensitive database contents by manipulating the 'search_key' parameter. The flaw stems from missing input escaping and unprepared SQL statements, enabling UNION-based or appended query attacks against any WordPress site running the affected plugin. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated arbitrary file upload in the BookingPress Pro WordPress plugin (versions ≤5.6) enables remote code execution by abusing missing file type validation in the bookingpress_validate_submitted_booking_form_func function. Exploitation requires the booking form to include a signature custom field, but otherwise needs no authentication or user interaction. No public exploit identified at time of analysis, though Wordfence's disclosure and the CWE-434 pattern make weaponization straightforward.
Missing capability check in GSheet For Woo Importer (WordPress plugin, all versions through 2.3.1) allows authenticated attackers with Subscriber-level access to invoke the process_ajax_restore_action() AJAX function and permanently delete the plugin's Google Sheets API token and associated configuration options. This disrupts WooCommerce product import workflows dependent on the Google Sheets integration. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Privilege escalation in the Divi Form Builder WordPress plugin (versions ≤5.1.2) allows unauthenticated remote attackers to register administrator accounts by submitting a tampered 'role' parameter in the registration POST body. The plugin trusts the client-supplied role value instead of enforcing the form's configured default_user_role, yielding full WordPress site takeover. No public exploit identified at time of analysis, but the CVSS 9.8 score and trivial exploitability make this a high-priority patch for any site running the plugin with public registration forms.
Stored Cross-Site Scripting in Avada (Fusion) Builder for WordPress (all versions through 3.15.2) allows authenticated attackers with Subscriber-level access to persist malicious JavaScript via unsanitized shortcode parameters. The injected scripts execute in the browser of any user - typically an administrator - who views a page rendering dynamic user data such as biographical information sourced through the plugin's Dynamic Data feature. With CVSS Scope set to Changed (S:C), successful exploitation crosses the victim's security boundary, enabling session hijacking or privilege escalation against higher-privileged users. No public exploit code or CISA KEV listing has been identified at time of analysis.
Unauthenticated remote code execution in the Avada Builder (fusion-builder) WordPress plugin versions up to and including 3.15.2 allows attackers to execute arbitrary PHP on affected sites by abusing an unsanitized call_user_func() invocation reachable through a public AJAX endpoint. Wordfence-reported issue affects any WordPress site running the Avada theme stack that exposes a Post Cards or Table of Contents element on a public page, since the protecting nonce is deterministically leaked in the page's JavaScript. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivial precondition (visiting one page that emits the nonce) make this high-priority.
Stored Cross-Site Scripting in the WPB Floating Menu & Categories WordPress plugin (all versions through 1.0.8) permits authenticated attackers holding Editor-level privileges or higher to inject arbitrary JavaScript via the 'Icon CSS Class' category field. The injected payload persists in the database and executes in the browser of any site visitor who loads a page containing the affected floating menu component, enabling session hijacking or credential harvesting against arbitrary users including administrators. No public exploit has been identified at time of analysis, and the plugin is not listed in the CISA KEV catalog; the CVSS 4.9 Medium score reflects the significant mitigation provided by the high-privilege prerequisite.
Insecure Direct Object Reference in the Broadstreet WordPress plugin (all versions through 1.52.2) allows any authenticated user with Subscriber-level access to read arbitrary private post metadata by supplying a user-controlled key to the get_sponsored_meta AJAX endpoint without server-side authorization checks. The vulnerability stems from a missing object-level authorization check (CWE-639), a common class of flaw in WordPress plugin AJAX handlers. No public exploit code or active exploitation has been identified at time of analysis, and a patched version (1.53.2) is available via the WordPress plugin repository.
Unrestricted file upload in WP Swings Gift Cards For WooCommerce Pro plugin (versions up to and including 4.2.6) allows remote unauthenticated attackers to upload malicious files of dangerous types to vulnerable WordPress sites. With a maximum CVSS score of 10.0 and a scope-changed vector, successful exploitation typically leads to remote code execution and full site compromise. No public exploit identified at time of analysis, though the high severity and ease of exploitation make this a priority concern for any WooCommerce site using this plugin.
Stored cross-site scripting in the Cost of Goods by PixelYourSite WordPress plugin (versions ≤1.2.12) allows remote unauthenticated attackers to inject persistent JavaScript via the 'csvdata[0][cost_of_goods_value]' parameter. Injected payloads execute in the browser of any user (including administrators) who later views the affected page, enabling session hijacking and admin takeover. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Blind SQL injection in YITH WooCommerce Product Add-Ons (WordPress plugin) through version 4.29.0 allows high-privileged authenticated users to inject malicious SQL into database queries, leading to confidentiality compromise and limited availability impact across a changed security scope. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.6; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Sensitive information exposure in the Slider Revolution WordPress plugin (versions up to and including 7.0.9) allows unauthenticated remote attackers to bypass WordPress's native password-protection mechanism and retrieve the full content of protected posts, pages, and WooCommerce products via the vulnerable `get_stream_data()` function. The CVSS vector confirms no authentication, no user interaction, and no special conditions are required, making this trivially exploitable against any affected installation. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
SQL injection in SureCart WordPress plugin versions prior to 4.2.1 allows authenticated high-privileged attackers to extract arbitrary database contents via the /surecart/v1/integrations/{id} REST endpoint. The flaw stems from a sanitization bypass in the wp-query-builder component where payloads containing a dot character skip $wpdb->prepare() escaping entirely, enabling UNION-based data exfiltration. No public exploit identified at time of analysis, though Tenable Research has published technical details (TRA-2026-43).
Authenticated privilege escalation in the AcyMailing WordPress plugin (versions up to and including 10.8.2) allows users with subscriber-level access or higher to modify privileged plugin configuration and export subscriber secret keys. By chaining these missing authorization flaws with knowledge of an administrator's email address, attackers can achieve full administrator account takeover. No public exploit identified at time of analysis, but Wordfence - the reporting party - typically tracks WordPress plugin abuse closely.
Stored Cross-Site Scripting via CSRF in the Anomify AI WordPress plugin (versions ≤ 0.3.6) allows unauthenticated remote attackers to inject persistent JavaScript into the WordPress admin panel by tricking a logged-in administrator into visiting an attacker-controlled page. The attack chains two flaws: a missing nonce check on the settings handler (no check_admin_referer()) that permits any cross-origin POST to modify plugin settings, and a double-quote escape bypass where the API key value is stored after sanitize_text_field() sanitization but rendered into an HTML attribute via bare echo without esc_attr(), allowing the payload to survive both sanitization and storage. No public exploit has been identified at time of analysis, and the CVE is not listed in the CISA KEV catalog.
The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses.
Stored XSS in the Email Encoder WordPress plugin (all versions before 2.4.7) permits unauthenticated remote attackers to inject persistent malicious scripts by supplying unsanitized email addresses through public-facing input fields. Because the CVSS scope is Changed (S:C), injected payloads execute in victim browsers rather than the server context, enabling session hijacking, credential theft, or malicious redirects against any visitor who loads an affected page. A publicly available proof-of-concept exists per WPScan reporting; no public exploit identified at time of analysis as actively exploited via CISA KEV.
Stored Cross-Site Scripting in the AI Chatbot & Workflow Automation by AIWU WordPress plugin (versions ≤1.4.14) allows injection of arbitrary web scripts via the unsanitized X-Forwarded-For HTTP request header. The injected payload persists server-side and executes in the browser of any user who accesses an affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit has been identified at time of analysis, and no CISA KEV listing exists, though practical exploitation is further constrained by a 20-character storage limit on the injected value.
Insecure Direct Object Reference in NextGEN Gallery WordPress plugin through version 4.2.0 allows authenticated attackers with Subscriber-level privileges and the 'NextGEN Manage gallery' capability to delete gallery images belonging to other users, including their physical files from disk. The DELETE /imagely/v1/images/{id} REST endpoint validates only the 'NextGEN Manage gallery' capability, entirely omitting gallery ownership checks and the 'NextGEN Manage others gallery' permission - making cross-user image destruction possible at low privilege. No public exploit code identified at time of analysis and no CISA KEV listing; however, when deleteImg is enabled (default), exploitation results in irreversible file-level data loss beyond what the CVSS 4.3 integrity score alone conveys.
Local File Inclusion in the Advanced Database Cleaner - Premium WordPress plugin (versions up to and including 4.1.0) allows Subscriber-level authenticated users to include and execute arbitrary .php files via the 'template' parameter. The flaw, reported by Wordfence, carries a CVSS score of 8.8 and can be escalated to full remote code execution when combined with a file upload primitive, while no public exploit identified at time of analysis.
Sensitive credential exposure in the All in One SEO WordPress plugin (versions up to and including 4.9.7) allows authenticated contributors to harvest API tokens, OAuth credentials, and license keys directly from rendered page source. The plugin passes unmasked internal configuration data to the browser via WordPress's wp_localize_script() mechanism in post editor contexts, making sensitive values accessible to any user with contributor-level access or above. No public exploit code or active exploitation has been identified at time of analysis, but exposed credentials carry secondary risk - compromised API/OAuth tokens could enable account takeover or abuse of connected third-party services.
PHP Object Injection in the Boost plugin for WordPress (versions up to and including 2.0.3) allows unauthenticated remote attackers to inject arbitrary PHP objects via the STYXKEY-BOOST_USER_LOCATION cookie. The vulnerability stems from unsafe deserialization of attacker-controlled cookie data; while the plugin itself ships no usable POP (property-oriented programming) chain, exploitation becomes high-impact when any other installed plugin or theme provides one. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthorized template creation in the Xpro Addons for Elementor WordPress plugin exposes sites to unauthenticated content injection via a missing capability check on the get_content_editor AJAX function. All plugin versions through 1.5.0 are affected, allowing any remote attacker without credentials to create and publish Xpro templates on targeted WordPress sites. No public exploit identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote exploitability against default installations with no preconditions.
Unauthenticated SQL injection in the PixelYourSite Boost plugin for WordPress (versions up to and including 2.0.3) allows remote attackers to extract sensitive database contents via time-based blind SQLi in the 'current_url' and 'user_name' parameters. Wordfence reported the issue with a CVSS 7.5 (confidentiality-only impact); no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in the Logo Manager For Enamad WordPress plugin (versions up to and including 0.7.4) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'title' attribute of three shortcodes - vc_enamad_namad, vc_enamad_shamed, and vc_enamad_custom. The injected payload executes in the browser of any user who subsequently visits the compromised page, enabling session hijacking, credential theft, or malicious redirects against site visitors and administrators. No public exploit code or active exploitation has been identified at time of analysis; however, the low privilege requirement (contributor) broadens the realistic attacker pool on multi-author WordPress sites.
Stored Cross-Site Scripting in the Faces of Users WordPress plugin (all versions through 0.0.3) allows authenticated attackers with Contributor-level access or above to inject persistent malicious JavaScript via the 'default' attribute of the 'facesofusers' shortcode. Once injected, the payload executes silently in the browser of any user who visits the compromised page, enabling session theft, credential harvesting, or malicious redirects targeting higher-privileged users including administrators. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Cross-Site Request Forgery chained to Stored Cross-Site Scripting in the Word 2 Cash WordPress plugin (versions ≤ 0.9.2) allows unauthenticated remote attackers to plant persistent JavaScript payloads inside the WordPress admin panel. The attack succeeds because the plugin's settings handler (w2c_admin()) performs no nonce verification, no input sanitization before storage, and no output escaping on retrieval - meaning a forged POST from any attacker-controlled page is indistinguishable from a legitimate admin save. No public exploit or CISA KEV listing has been identified at time of analysis, but the CVSS score of 6.1 with Changed scope reflects real post-exploitation reach within the admin context once triggered.
Cross-Site Request Forgery in the Child Height Predictor by Ostheimer WordPress plugin (all versions through 1.3) allows unauthenticated remote attackers to modify plugin settings by tricking an authenticated administrator into visiting a malicious page. The vulnerability stems from a complete absence of nonce verification in the options() function - neither wp_nonce_field() in the form template nor check_admin_referer()/wp_verify_nonce() in the handler - meaning any forged POST request from an admin session will be accepted and persisted to the database. No public exploit has been identified at time of analysis, and CVSS scores this as medium severity (4.3), which aligns with the limited integrity impact (settings modification only, no confidentiality or availability loss).
Cross-Site Request Forgery in the Bottom Bar WordPress plugin (all versions up to and including 0.1.7) allows unauthenticated attackers to modify plugin configuration by tricking a logged-in administrator into visiting a malicious page. All three administrative settings forms - main settings, sharing services, and restore defaults - lack both wp_nonce_field() output and server-side check_admin_referer() validation in bottom-bar-admin.php, meaning any POST to those endpoints is processed without request authenticity checks. No public exploit has been identified at time of analysis, no patched version has been confirmed, and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in the General Options WordPress plugin (versions up to and including 1.1.0) allows authenticated attackers holding Administrator-level privileges to persist malicious JavaScript in the Contact Number settings field, which executes in the browser of any administrator who subsequently visits the plugin's settings page. The flaw is rooted in the misapplication of sanitize_text_field() for output escaping - a function that strips HTML tags but does not encode double-quote characters, enabling attribute context breakout when the stored value is echoed inside a double-quoted HTML attribute. WordPress's wp_magic_quotes backslash-prefixing mechanism provides no protection here because HTML parsers treat the backslash as a literal character rather than an escape sequence. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.
Time-based blind SQL injection in the Read More & Accordion WordPress plugin (slug: expand-maker) through version 3.5.7 enables authenticated administrators to exfiltrate arbitrary database contents, including administrator password hashes, by manipulating the orderby GET parameter. The flaw exists in two data-retrieval functions in ReadMoreData.php, where user input bypasses effective sanitization and is concatenated unquoted into an ORDER BY SQL clause. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, though the high-confidentiality CVSS impact (C:H) reflects genuine data-exposure potential.
Authentication bypass in the Oliver POS WooCommerce Point of Sale WordPress plugin (all versions through 2.4.2.6) allows unauthenticated remote attackers to gain full access to the plugin's REST API namespace by exploiting PHP type juggling in the permission callback. On fresh installations where the admin has not yet completed the connection wizard, the stored authorization token is unset (PHP false), and sending the header 'OliverAuth: 0' satisfies the loose comparison '0' == false, returning true and granting unrestricted access to all /wp-json/pos-bridge/* endpoints. Successful exploitation enables reading administrator account details, updating user profiles including email addresses, deleting non-admin users, and ultimately resetting the admin email to achieve full WordPress site takeover. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in the Amazon Scraper WordPress plugin (submone, all versions through 1.1) allows unauthenticated remote attackers to modify plugin settings and inject persistent malicious scripts by tricking an authenticated site administrator into clicking a crafted link. The root cause is missing or incorrect nonce validation across multiple functions in amazon-admin.php (identified at lines 13, 26, 45, and 49). No public exploit has been identified at time of analysis, and the plugin has not been added to the CISA KEV catalog, but the Wordfence-reported disclosure includes direct source code references making exploitation straightforward for a motivated attacker.
Settings-reset CSRF in the Remove Yellow BGBOX WordPress plugin (all versions up to and including 1.0) allows unauthenticated remote attackers to overwrite the plugin's stored configuration by tricking a logged-in site administrator into loading a forged request. The vulnerability stems from absent nonce validation on the rybb_api_settings page, confirmed by Wordfence with direct source code references to admin/rybb_api_settings.php and includes/functions.php. No public exploit code or CISA KEV listing has been identified at time of analysis, and the limited integrity impact keeps real-world priority low.
Stored Cross-Site Scripting in the Diagnosis Generator (診断ジェネレータ作成プラグイン) WordPress plugin allows any subscriber-level authenticated user to write arbitrary JavaScript into WordPress theme files by exploiting a missing capability check in themeFunc(). The payload persists in theme files and executes in every site visitor's browser upon loading any page containing the diagnosis form shortcode, giving a single low-privilege attacker persistent, cross-user script execution. No public exploit has been identified at time of analysis, but the subscriber-level access requirement makes this a broad risk on any WordPress site with open user registration.
Server-side request forgery in the Nexa Blocks WordPress plugin (versions up to and including 1.1.1) exposes internal network infrastructure to unauthenticated remote attackers by combining an unvalidated URL passthrough with a publicly leaked authentication nonce. The plugin's import_demo() function at template.php:242 forwards an attacker-supplied URL directly to WordPress's wp_remote_get() with no scheme restriction, host allowlist, or RFC-1918 blocklist, and the nexa_blocks_nonce that gates this AJAX endpoint is serialized into every public-facing page's HTML via wp_localize_script, nullifying the intended access control entirely. No public exploit has been identified at time of analysis and this is not listed in CISA KEV, but the effective authentication bypass and trivial exploitation path elevate practical risk substantially above what the CVSS 5.4 score alone communicates.
Privilege escalation in the Read More & Accordion WordPress plugin (versions up to and including 3.5.7) allows authenticated low-privileged users granted import rights through the plugin's role settings to write arbitrary rows into the wp_users and wp_usermeta tables, effectively creating a new administrator account. The flaw stems from the RadMoreAjax::importData function failing to restrict target database tables and to validate imported data. No public exploit identified at time of analysis, though the vulnerability was disclosed by Wordfence threat intelligence researchers.
Cross-Site Request Forgery in the Sentence To SEO WordPress plugin (all versions up to and including 1.0) allows unauthenticated remote attackers to inject persistent malicious scripts and overwrite plugin settings by forging admin form submissions against the unprotected create_admin_page() function. Because the CVSS vector carries Changed scope (S:C), a successfully forged request can achieve Stored XSS within the WordPress admin context, crossing the boundary from the plugin into the administrator's browser session. No public exploit code or active exploitation has been identified at time of analysis, and no KEV listing exists, but the attack class is well-understood and exploitation templates for WordPress CSRF-to-XSS chains are widely available.
Cross-Site Request Forgery in the BLOGCHAT Chat System WordPress plugin (all versions through 1.3.6.3) enables unauthenticated remote attackers to both update plugin settings and inject persistent malicious web scripts by tricking an authenticated site administrator into clicking a crafted link. The vulnerability stems from missing or incorrect nonce validation across multiple functions in wp-blogchat-widget.php (lines 208, 215, 222, 293), making it a compound CSRF+Stored XSS risk with Changed scope (S:C) in the CVSS rating. No public exploit code or CISA KEV listing has been identified at time of analysis.
Privilege escalation in the BeycanPress Account Switcher WordPress plugin (versions up to and including 1.0.2) allows authenticated Subscriber-level users to hijack any account, including Administrator, by abusing a loose PHP comparison in the rememberLogin REST endpoint. No public exploit is identified at the time of analysis, but the issue is trivially reproducible from the disclosed root cause and the plugin source on WordPress.org is publicly indexable.
Reflected Cross-Site Scripting in the VatanSMS WP SMS WordPress plugin (all versions through 1.01) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized `page` parameter, executing in the context of a logged-in administrator's browser session. Exploitation requires social engineering an administrator into clicking a crafted link, making this a medium-severity but realistic threat vector for WordPress site takeover or credential theft. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Authorization bypass in the TypeSquare Webfonts for ConoHa WordPress plugin (all versions through 2.0.4) allows authenticated attackers with subscriber-level access to arbitrarily modify site-wide font configuration by submitting a POST request to any wp-admin page. The plugin fails to verify that the requesting user has permission to alter settings such as typesquare_auth (fontThemeUseType), show_post_form, and typesquare_fonttheme (CWE-862). Compounding the issue, when fontThemeUseType values 1 or 3 are targeted, nonce verification is also absent, making those specific code branches additionally exploitable via cross-site request forgery against higher-privileged users. No public exploit has been identified at time of analysis, and no confirmed patched version has been released.
Reflected Cross-Site Scripting in the SponsorMe plugin for WordPress (all versions through 0.5.2) allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by tricking an authenticated user - likely a WordPress administrator - into clicking a specially crafted wp-admin/admin.php URL. The PHP_SELF superglobal is reflected unsanitized in two distinct locations within the same vulnerable function: a form action attribute (sponsorme.php:440) and an anchor href attribute (sponsorme.php:475), doubling the attack surface. No patch has been identified at time of analysis, and no public exploit or CISA KEV listing has been confirmed.
Cross-Site Request Forgery in the JaviBola Custom Theme Test WordPress plugin (all versions through 2.0.5) enables unauthenticated remote attackers to silently replace the site's active theme by forging a request that modifies the `jbct_theme` option. Exploitation requires social-engineering a logged-in site administrator into clicking a crafted link - the CVSS UI:R requirement reflects this dependency. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Cross-Site Request Forgery in the Bigfishgames Syndicate WordPress plugin (all versions through 1.2) enables unauthenticated remote attackers to reset and overwrite plugin settings by forging admin-panel requests. The vulnerability resides in the bigfishgames_syndicate_submenu() function, which lacks proper WordPress nonce validation, meaning any crafted HTTP request bearing a valid admin session will be accepted as legitimate. Exploitation requires tricking an authenticated site administrator into triggering the forged request; no public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.
Reflected Cross-Site Scripting in the Correct Prices WordPress plugin (versions up to and including 1.0) exposes any site running this plugin to script injection via crafted URLs. The correct_prices_page() function writes the raw value of $_SERVER['PHP_SELF'] into a form's action attribute without calling esc_url() or esc_attr(), allowing an attacker to break out of the HTML attribute context and inject arbitrary markup. CVSS vector PR:N confirms no authentication is required from the attacker, though exploitation is limited by a required user interaction (UI:R) - a victim must be tricked into following a specially crafted link. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code was identified at time of analysis.
Stored Cross-Site Scripting in the Anomify AI WordPress plugin (versions ≤ 0.3.6) allows authenticated administrators to persist malicious scripts in the plugin's settings that execute in any user's browser upon visiting the settings page. The flaw exists because the plugin applies sanitize_text_field() to the anomify_api_key input - a function that strips HTML tags but does not encode double-quote characters - then echoes the stored value directly into an HTML attribute context (value="...") without the appropriate esc_attr() call. No public exploit code has been identified at time of analysis, and CISA KEV does not list this CVE; the CVSS score of 4.4 reflects the high privilege bar and high complexity required to exploit.
Unauthenticated SQL injection in the Creative Mail - Easier WordPress & WooCommerce Email Marketing plugin (versions up to and including 1.6.9) allows remote attackers to append arbitrary SQL clauses through the 'checkout_uuid' parameter handled by the has_checkout_consent() method. The flaw stems from missing escaping and the absence of a prepared statement, enabling extraction of sensitive database contents from any WordPress site running the vulnerable plugin. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Privilege escalation in the Easy Elements for Elementor WordPress plugin (versions up to and including 1.4.4) allows unauthenticated remote attackers to register accounts with the 'administrator' role, granting full site takeover. The flaw exists in the 'easyel_handle_register' function which fails to validate or restrict the user role parameter submitted during registration. No public exploit identified at time of analysis, but the trivial nature of the bug and Wordfence's disclosure make weaponization straightforward.
SQL Injection in the Infility Global WordPress plugin (all versions through 2.15.16) allows authenticated attackers holding only a Subscriber-level account to append arbitrary SQL to existing database queries and extract sensitive information. The vulnerability originates in the show_control_data::post_list() function, which is registered as an admin menu page gated only by the 'read' capability - the lowest WordPress capability tier. With CVSS C:H and no integrity or availability impact, the primary real-world risk is wholesale database exfiltration on any site with open user registration. No public exploit has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Stored Cross-Site Scripting in the CVMH Sticky plugin for WordPress (versions ≤2.5.6) enables authenticated contributors to inject persistent JavaScript via the `readmoretext` attribute of the `[cvmh-sticky]` shortcode. The payload executes in the browsers of any visitor loading a page containing the injected shortcode, enabling session hijacking, credential theft, or privilege escalation by targeting administrators. No public exploit is identified at time of analysis and this vulnerability is not listed in CISA KEV, but Wordfence has confirmed the flaw with direct code-level references.
Reflected XSS in the LJ Comments Import: Reloaded WordPress plugin (all versions ≤ 0.97.1) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in victim browsers by exploiting two distinct unsanitized echo points for the PHP_SELF variable in lj_comments_import.php (lines L129 and L161). The attack requires tricking an authenticated WordPress user into clicking a crafted link, making session hijacking and unauthorized administrative actions the primary post-exploitation risk. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity (AC:L, PR:N) and Changed scope make this a realistic threat to sites where the plugin is active.
Unauthenticated remote code execution in the ProSolution WP Client WordPress plugin (versions ≤ 2.0.0) allows attackers to upload malicious PHP files to a web-accessible directory by abusing an array validation mismatch in its upload handler. Because only the first file in a multi-file upload array is checked for extension and MIME type while the remaining files are processed unchecked, attackers can pair a benign first file with a PHP webshell to achieve full code execution on the host. No public exploit identified at time of analysis, but the high CVSS 9.8 score and trivially scriptable nature place this in the realistic mass-exploitation tier for WordPress plugins.
Cross-Site Request Forgery in the Games Catalog WordPress plugin (versions ≤ 1.2.0) enables unauthenticated attackers to delete arbitrary game catalog entries and their associated WordPress posts by tricking a logged-in site administrator into clicking a crafted link. The vulnerable gc_crud() function in admin-crud.php processes the action=delete parameter via a GET request with no wp_verify_nonce() or check_admin_referer() call, bypassing WordPress's standard CSRF defenses entirely. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack surface is fully visible in the public WordPress plugin Trac repository, making it trivially constructible.
Arbitrary file read and deletion in the Kirki - Freeform Page Builder plugin for WordPress (versions through 6.0.6) allows unauthenticated remote attackers to read and delete files within the WordPress uploads base directory by abusing the 'downloadZIP' function. The flaw stems from insufficient path validation and a missing capability check, and was reported by Wordfence; no public exploit identified at time of analysis.
Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.6) allows authenticated attackers with subscriber-level privileges to enumerate and read all frontend form structures and stored visitor submission data, including contact details and messages submitted through any site form powered by the plugin. The flaw originates in missing authorization checks on an AJAX handler (Ajax.php, line 675), meaning any logged-in user - including the lowest-privilege role WordPress assigns - can exfiltrate sensitive visitor-submitted information without any administrative context. No public exploit or CISA KEV listing has been identified at time of analysis, but the low privilege barrier and network-accessible attack vector make this a realistic data exposure risk for any multi-user or public-registration WordPress site running the affected plugin.
Stored cross-site scripting via missing authorization in Funnel Builder for WooCommerce Checkout (FunnelKit) plugin versions prior to 3.15.0.3 allows remote unauthenticated attackers to write arbitrary content to the plugin's External Scripts global setting through an exposed public AJAX endpoint. Injected JavaScript executes in the browser of every visitor to the WooCommerce checkout page, enabling credit card skimming, session theft, and credential harvesting. Publicly available exploit code exists and Sansec research indicates the flaw is being exploited in the wild against live e-commerce sites.
Insecure Direct Object Reference in Yoast SEO for WordPress (all versions through 26.5) allows authenticated Contributor-level users to read SEO metadata from any post on the site - including private posts, drafts, and content owned by other users - by supplying arbitrary post_id values to the Meta Search REST API endpoint. The flaw is a missing object-level authorization check: the plugin verified generic edit capability rather than per-post ownership. No public exploit identified at time of analysis, and EPSS stands at 0.03% (8th percentile), indicating low exploitation interest in the wild.
Stored Cross-Site Scripting in the Splide Carousel Block WordPress plugin (all versions ≤ 1.7.1) allows authenticated attackers with contributor-level access to inject persistent JavaScript via the 'url' block attribute, executing against any visitor of the affected page. The attack requires the malicious post to be published by an editor or administrator before the payload fires, adding a social-engineering or workflow-abuse dependency. With an EPSS of 0.03% (9th percentile) and no current CISA KEV listing, real-world exploitation risk is low but non-negligible on sites permitting untrusted contributors to submit content.
Uncontrolled resource consumption in the Simply Schedule Appointments WordPress plugin (all versions ≤ 1.6.11.5) enables unauthenticated remote attackers to exhaust PHP-FPM or mod_php worker processes, effectively rendering the WordPress site unavailable to legitimate users. The attack surface is a publicly accessible REST endpoint (/wp-json/ssa/v1/async) that directly passes a caller-controlled delay parameter into PHP's native sleep() function with no rate limiting or input sanitization. No public exploit code has been identified at time of analysis and EPSS is very low (0.05%, 15th percentile), suggesting limited opportunistic interest so far, though the trivially low attack complexity means any actor can attempt this with no tooling.
Stored Cross-Site Scripting in Style Kits for Elementor (analogwp-templates) WordPress plugin versions up to and including 2.5.0 allows authenticated attackers with contributor-level access to inject persistent JavaScript payloads via the kit title parameter at the /wp-json/agwp/v1/tokens/save REST API endpoint. The injected script executes in the browser of any user who subsequently visits an affected page, with a Changed scope (S:C) indicating cross-user impact that can reach administrators. No public exploit identified at time of analysis; EPSS of 0.03% (9th percentile) signals low observed exploitation probability, though the contributor-level barrier is low on multi-author WordPress sites.
Missing authorization in the AA-Team Woocommerce Envato Affiliates WordPress plugin (versions up to and including 1.2.1) lets a low-privileged authenticated user invoke functionality that is not properly gated by access-control checks, most likely modifying plugin settings as indicated by the Patchstack advisory slug. Because the action carries a high integrity impact, an attacker holding even a basic account can tamper with configuration that should be reserved for administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated broken access control in Magepeople Inc.'s Taxi Booking Manager for WooCommerce plugin (versions up to and including 2.0.1) exposes limited information to remote attackers without requiring any credentials or user interaction. The plugin fails to enforce proper authorization checks on one or more endpoints, classified under CWE-862 (Missing Authorization), allowing unauthenticated network requests to access functionality or data that should be restricted. No active exploitation is confirmed (not in CISA KEV) and EPSS stands at 0.03%, indicating low observed exploitation probability at time of analysis.
Cross-site request forgery in the Zoho Mail WordPress plugin (all versions before 1.6.2) enables a remote attacker to perform unauthorized, integrity-impacting actions on behalf of an authenticated WordPress user without their knowledge. The CVSS 5.7 medium score reflects high integrity impact with no confidentiality or availability exposure, requiring low-privilege victim authentication and user interaction. No public exploit code exists and no active exploitation has been identified; EPSS sits at the 1st percentile and SSVC classifies exploitation status as none.
Authentication bypass in ThemeHigh's Stripe Payment Gateway for WooCommerce (all versions through 5.0.7) allows unauthenticated remote attackers to exploit the plugin's password recovery flow to gain unauthorized access, affecting both data integrity and availability (CVSS 6.5). The flaw is classified as CWE-288 - Authentication Bypass Using an Alternate Path or Channel - meaning the plugin exposes an alternative code path that circumvents normal authentication controls. No public exploit code has been identified at time of analysis, and CISA has not added this to KEV, though SSVC flags the attack as automatable with partial technical impact.
Unauthenticated integrity compromise in WebToffee Smart Coupons for WooCommerce (versions before 2.3.0) allows remote attackers to bypass access controls and modify coupon-related data without authentication. The flaw stems from missing authorization checks (CWE-862) on plugin endpoints, and while no public exploit has been identified at time of analysis, SSVC flags the issue as automatable, meaning mass exploitation tooling could emerge rapidly. EPSS is currently low (0.03%) despite the network-exploitable nature of the bug.
Missing Authorization in Autoship Cloud for WooCommerce Subscription Products (versions through 2.14.0) allows authenticated low-privileged users to perform actions beyond their intended permission scope, resulting in unauthorized data modification. Reported by Patchstack, this CWE-862 flaw means the plugin fails to verify whether an authenticated user holds the correct capability before executing sensitive operations within the WooCommerce subscription management interface. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and the EPSS score of 0.03% (8th percentile) signals negligible automated exploitation activity at this time.
WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Contact Form Maker Plugin 1.12.20 contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through the FormMakerSQLMapping and. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Privilege escalation in the WishList Member WordPress plugin (versions through 3.30.1) allows authenticated subscriber-level attackers to extract the plugin's plaintext REST API Secret Key and use it to create administrator accounts, resulting in full site takeover. The flaw is reachable via a single AJAX call (ajax_get_screen) that lacks capability and nonce checks. No public exploit identified at time of analysis, but the attack path is fully described in the Wordfence advisory and requires only low-privileged authenticated access.
Privilege escalation in the Wishlist Member WordPress plugin (versions through 3.30.1) allows any authenticated user with Subscriber-level access or higher to update arbitrary plugin options, including the REST API Secret Key, leading to full site takeover. The flaw stems from a missing capability check in the Team_Accounts::save_settings function, and although no public exploit identified at time of analysis, the low authentication bar and chained admin-account creation path make it a high-priority risk on any WordPress site that permits public registration.
Unauthorized order manipulation and information disclosure in the WooCommerce PayPal Payments WordPress plugin (versions through 4.0.1) allows remote unauthenticated attackers to abuse two WC-AJAX endpoints (ppc-create-order and ppc-get-order) that lack authorization checks. By chaining these endpoints, an attacker can create a PayPal order against any victim's WooCommerce order ID and then retrieve full PayPal order details including payer information and shipping data. No public exploit identified at time of analysis, but the plugin's broad e-commerce deployment and trivial attack complexity make this a credible target.
Privilege escalation in the WishList Member WordPress plugin versions up to 3.30.1 allows authenticated low-privilege users to obtain the REST API Secret Key via the unprotected 'export_settings' AJAX endpoint and leverage it to register arbitrary administrator accounts. The CVSS 8.8 (High) rating reflects full confidentiality, integrity, and availability impact, and while no public exploit is identified at time of analysis, the discovery by Wordfence - a major WordPress security vendor - typically precedes broader exploitation against the large WordPress plugin ecosystem.
Privilege escalation in the Wishlist Member WordPress plugin (versions ≤3.30.1) allows authenticated Subscriber-level users to overwrite the plugin's REST API Secret Key and abuse it to create administrator accounts, leading to full site takeover. The flaw stems from a missing capability check on the generate_api_key hook handler. No public exploit identified at time of analysis, though Wordfence has published a threat-intel advisory.
Unauthorized playlist data disclosure in the AudioIgniter WordPress plugin (≤2.0.2) allows remote unauthenticated attackers to retrieve track metadata for non-public playlists via the /audioigniter/playlist/{id}/ rewrite endpoint. The handle_playlist_endpoint() function validates only post_type, omitting authentication, capability, and post_status checks, so draft, private, pending, and trashed playlists are reachable by ID enumeration. No public exploit identified at time of analysis; the issue is fixed in version 2.0.3 per the vendor commit.
Authorization bypass in MotoPress Hotel Booking plugin for WordPress (all versions through 6.0.1) allows unauthenticated remote attackers to overwrite or delete internal booking notes for any reservation by supplying an arbitrary booking ID. The root cause is a nonce that is unconditionally output into every public page's HTML via wp_localize_script under MPHB._data.nonces, meaning any site visitor - without an account or any prior interaction - can obtain a valid nonce and invoke the update-booking-notes AJAX action against any booking. No public exploit code has been identified at time of analysis, but the trivially accessible nonce makes this effectively zero-friction to abuse.
Blind Server-Side Request Forgery in FluentCRM (WordPress plugin, all versions ≤2.9.87) allows unauthenticated remote attackers to coerce the web server into issuing arbitrary HTTP requests via the 'SubscribeURL' parameter in SES bounce handling. Exploitation is constrained to sites where the SES bounce handling key has never been initialized - a default state that persists until an administrator visits the bounce configuration page. Successfully exploited, this flaw can be used to probe and interact with internal services (cloud metadata endpoints, intranet APIs, adjacent containers), achieving limited but meaningful confidentiality and integrity impact across a changed scope. No public exploit or CISA KEV listing exists at time of analysis, though source code references expose the vulnerable code path directly.
Sensitive information exposure in the Slider by Soliloquy WordPress plugin (versions ≤ 2.8.1) allows authenticated attackers with subscriber-level access to read draft slider content that should be restricted to administrators and editors. The flaw exists in the plugin's map_meta_cap implementation within posttype.php, where capability checks are insufficiently enforced, permitting low-privileged users to retrieve draft slider metadata including unpublished media URLs, captions, and full slider configuration details. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Unauthorized data disclosure in the Ditty - Responsive News Tickers, Sliders, and Lists WordPress plugin (versions 0 through 3.1.65) allows unauthenticated remote attackers to retrieve the full contents of non-public Ditty entries - including drafts, pending, scheduled, and disabled posts - by enumerating integer post IDs against the ditty_init AJAX endpoint. The flaw stems from the init_ajax() handler omitting the 'publish' post status check that its non-AJAX counterpart performs, exposing content administrators deliberately withheld from public view. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Cross-Site Request Forgery in the Widget Context WordPress plugin (all versions ≤ 1.3.3) allows unauthenticated attackers to modify widget visibility context settings stored in the WordPress options table by forging a POST request to /wp-admin/widgets.php. The root cause is missing or incorrect nonce validation in the save_widget_context_settings function, confirmed by Wordfence and corroborated by source code references at WidgetContext.php lines 91, 282, and 311. Exploitation requires social engineering a logged-in administrator into clicking an attacker-controlled link; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Authorization bypass in the Vedrixa Forms WordPress plugin (all versions through 1.1.1) permits authenticated attackers with subscriber-level access to overwrite the structure of any registration form by writing attacker-controlled data directly to the plugin's FORMS database table. The root cause is a missing authorization check on the form-saving AJAX handler, compounded by the fact that the required ajax-nonce is publicly exposed via wp_localize_script() on any page rendering a form shortcode - meaning any authenticated visitor can harvest the nonce without elevated privileges. The vulnerability is not listed in CISA KEV and no public exploit has been identified at time of analysis; however, on open-registration WordPress sites the subscriber-level barrier is trivially bypassed.
Unauthenticated privilege escalation in the Easy Elements for Elementor WordPress plugin through version 1.4.5 allows remote attackers to register administrator accounts by abusing an unchecked custom_meta parameter in the eel_register AJAX handler. The flaw lets attackers overwrite the wp_capabilities user meta after wp_insert_user() has assigned a safe role, granting full site takeover. No public exploit identified at time of analysis, and the CVSS vector's PR:L appears inconsistent with the description's explicit unauthenticated abuse path.
Cross-Site Request Forgery in the Alfie - Feed Plugin for WordPress (all versions ≤ 1.2.1) allows unauthenticated remote attackers to delete arbitrary plugin feed data by tricking a logged-in site administrator into clicking a crafted link. The missing nonce validation on the alfie_manage() function means any forged GET request containing the 'delete' parameter will be processed without verifying its origin, permanently removing records from the plugin's four database tables. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the low attack complexity and purely social-engineering prerequisite make it a credible threat against active WordPress sites using this plugin.
Missing authorization controls in the FastX WordPress theme allow authenticated Subscriber-level users to install and activate the PostX plugin without administrative approval. The vulnerability exists in two AJAX callback functions - 'ultp_install_callback' and 'ultp_activate_callback' - which fail to verify whether the requesting user holds sufficient capabilities before executing privileged plugin management operations. All versions up to and including 1.0.2 are affected per WPXPO's theme codebase on themes.trac.wordpress.org. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Reflected Cross-Site Scripting in WP Blockade - Visual Page Builder (all versions through 0.9.14) allows authenticated attackers holding at minimum a WordPress Subscriber-level account to inject arbitrary JavaScript into pages rendered in a victim's browser. The vulnerability exists in the render_shortcode_preview() function, which passes raw GET input through do_shortcode() without sanitization or output escaping - when the input is not a recognized shortcode, WordPress returns it verbatim, causing any embedded script to execute. Exploitation requires social engineering an authenticated user (e.g., an admin) into clicking a crafted link, but the low barrier to entry (Subscriber-level account) significantly widens the attacker pool on multi-user WordPress installations. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Unauthorized modification of weather display settings in the Location Weather WordPress plugin (versions ≤3.0.2) is achievable by any authenticated user with Contributor-level access or above, due to missing capability checks on the administrative functions `splw_update_block_options()` and `lwp_clean_weather_transients()`. Affected sites expose the protective nonce to all authenticated sessions via `wp_localize_script()` on the `init` hook, neutralizing what would otherwise be a secondary CSRF defense and making exploitation straightforward for any logged-in user. No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog; real-world impact is limited to disruption of weather widget display and cache integrity rather than data theft or code execution.
Stored Cross-Site Scripting in the KIA Subtitle WordPress plugin (all versions through 4.0.1) allows authenticated attackers with Contributor-level access to inject persistent malicious scripts via the `before` and `after` attributes of the `the-subtitle` shortcode. Any site visitor loading a page containing the injected shortcode will execute the attacker's script in their browser context. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor) and network-accessible attack vector make this a meaningful risk for multi-author WordPress sites.
Reflected Cross-Site Scripting in the CBX 5 Star Rating & Review WordPress plugin (versions up to and including 1.0.7) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'page' parameter rendered in administrative log templates. Successful exploitation requires social engineering an authenticated administrator into clicking a crafted URL, limiting automated mass exploitation while remaining a realistic threat in targeted phishing campaigns against WordPress site owners. No public exploit code or CISA KEV listing has been identified at time of analysis.
Stored Cross-Site Scripting in the Draft List WordPress plugin (versions up to and including 2.6.3) allows authenticated attackers with author-level access to inject arbitrary web scripts into draft post titles using attribute-breakout techniques. The critical aggravating factor is the changed scope (S:C in CVSS): the unescaped rendering path is specifically triggered for users who lack edit capabilities, meaning the payload executes against unauthenticated visitors and subscribers - not just privileged users. No public exploit has been identified at time of analysis, but Wordfence disclosure and the low privilege bar (author-level sufficient) make this a meaningful cross-user threat in any multi-author WordPress environment.
Unauthenticated SQL injection in the WP ERP Pro WordPress plugin (versions through 1.5.1) allows remote attackers to extract sensitive database contents by manipulating the 'search_key' parameter. The flaw stems from missing input escaping and unprepared SQL statements, enabling UNION-based or appended query attacks against any WordPress site running the affected plugin. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated arbitrary file upload in the BookingPress Pro WordPress plugin (versions ≤5.6) enables remote code execution by abusing missing file type validation in the bookingpress_validate_submitted_booking_form_func function. Exploitation requires the booking form to include a signature custom field, but otherwise needs no authentication or user interaction. No public exploit identified at time of analysis, though Wordfence's disclosure and the CWE-434 pattern make weaponization straightforward.
Missing capability check in GSheet For Woo Importer (WordPress plugin, all versions through 2.3.1) allows authenticated attackers with Subscriber-level access to invoke the process_ajax_restore_action() AJAX function and permanently delete the plugin's Google Sheets API token and associated configuration options. This disrupts WooCommerce product import workflows dependent on the Google Sheets integration. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Privilege escalation in the Divi Form Builder WordPress plugin (versions ≤5.1.2) allows unauthenticated remote attackers to register administrator accounts by submitting a tampered 'role' parameter in the registration POST body. The plugin trusts the client-supplied role value instead of enforcing the form's configured default_user_role, yielding full WordPress site takeover. No public exploit identified at time of analysis, but the CVSS 9.8 score and trivial exploitability make this a high-priority patch for any site running the plugin with public registration forms.
Stored Cross-Site Scripting in Avada (Fusion) Builder for WordPress (all versions through 3.15.2) allows authenticated attackers with Subscriber-level access to persist malicious JavaScript via unsanitized shortcode parameters. The injected scripts execute in the browser of any user - typically an administrator - who views a page rendering dynamic user data such as biographical information sourced through the plugin's Dynamic Data feature. With CVSS Scope set to Changed (S:C), successful exploitation crosses the victim's security boundary, enabling session hijacking or privilege escalation against higher-privileged users. No public exploit code or CISA KEV listing has been identified at time of analysis.
Unauthenticated remote code execution in the Avada Builder (fusion-builder) WordPress plugin versions up to and including 3.15.2 allows attackers to execute arbitrary PHP on affected sites by abusing an unsanitized call_user_func() invocation reachable through a public AJAX endpoint. Wordfence-reported issue affects any WordPress site running the Avada theme stack that exposes a Post Cards or Table of Contents element on a public page, since the protecting nonce is deterministically leaked in the page's JavaScript. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivial precondition (visiting one page that emits the nonce) make this high-priority.
Stored Cross-Site Scripting in the WPB Floating Menu & Categories WordPress plugin (all versions through 1.0.8) permits authenticated attackers holding Editor-level privileges or higher to inject arbitrary JavaScript via the 'Icon CSS Class' category field. The injected payload persists in the database and executes in the browser of any site visitor who loads a page containing the affected floating menu component, enabling session hijacking or credential harvesting against arbitrary users including administrators. No public exploit has been identified at time of analysis, and the plugin is not listed in the CISA KEV catalog; the CVSS 4.9 Medium score reflects the significant mitigation provided by the high-privilege prerequisite.
Insecure Direct Object Reference in the Broadstreet WordPress plugin (all versions through 1.52.2) allows any authenticated user with Subscriber-level access to read arbitrary private post metadata by supplying a user-controlled key to the get_sponsored_meta AJAX endpoint without server-side authorization checks. The vulnerability stems from a missing object-level authorization check (CWE-639), a common class of flaw in WordPress plugin AJAX handlers. No public exploit code or active exploitation has been identified at time of analysis, and a patched version (1.53.2) is available via the WordPress plugin repository.
Unrestricted file upload in WP Swings Gift Cards For WooCommerce Pro plugin (versions up to and including 4.2.6) allows remote unauthenticated attackers to upload malicious files of dangerous types to vulnerable WordPress sites. With a maximum CVSS score of 10.0 and a scope-changed vector, successful exploitation typically leads to remote code execution and full site compromise. No public exploit identified at time of analysis, though the high severity and ease of exploitation make this a priority concern for any WooCommerce site using this plugin.
Stored cross-site scripting in the Cost of Goods by PixelYourSite WordPress plugin (versions ≤1.2.12) allows remote unauthenticated attackers to inject persistent JavaScript via the 'csvdata[0][cost_of_goods_value]' parameter. Injected payloads execute in the browser of any user (including administrators) who later views the affected page, enabling session hijacking and admin takeover. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Blind SQL injection in YITH WooCommerce Product Add-Ons (WordPress plugin) through version 4.29.0 allows high-privileged authenticated users to inject malicious SQL into database queries, leading to confidentiality compromise and limited availability impact across a changed security scope. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.6; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Sensitive information exposure in the Slider Revolution WordPress plugin (versions up to and including 7.0.9) allows unauthenticated remote attackers to bypass WordPress's native password-protection mechanism and retrieve the full content of protected posts, pages, and WooCommerce products via the vulnerable `get_stream_data()` function. The CVSS vector confirms no authentication, no user interaction, and no special conditions are required, making this trivially exploitable against any affected installation. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
SQL injection in SureCart WordPress plugin versions prior to 4.2.1 allows authenticated high-privileged attackers to extract arbitrary database contents via the /surecart/v1/integrations/{id} REST endpoint. The flaw stems from a sanitization bypass in the wp-query-builder component where payloads containing a dot character skip $wpdb->prepare() escaping entirely, enabling UNION-based data exfiltration. No public exploit identified at time of analysis, though Tenable Research has published technical details (TRA-2026-43).
Authenticated privilege escalation in the AcyMailing WordPress plugin (versions up to and including 10.8.2) allows users with subscriber-level access or higher to modify privileged plugin configuration and export subscriber secret keys. By chaining these missing authorization flaws with knowledge of an administrator's email address, attackers can achieve full administrator account takeover. No public exploit identified at time of analysis, but Wordfence - the reporting party - typically tracks WordPress plugin abuse closely.
Stored Cross-Site Scripting via CSRF in the Anomify AI WordPress plugin (versions ≤ 0.3.6) allows unauthenticated remote attackers to inject persistent JavaScript into the WordPress admin panel by tricking a logged-in administrator into visiting an attacker-controlled page. The attack chains two flaws: a missing nonce check on the settings handler (no check_admin_referer()) that permits any cross-origin POST to modify plugin settings, and a double-quote escape bypass where the API key value is stored after sanitize_text_field() sanitization but rendered into an HTML attribute via bare echo without esc_attr(), allowing the payload to survive both sanitization and storage. No public exploit has been identified at time of analysis, and the CVE is not listed in the CISA KEV catalog.
The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses.
Stored XSS in the Email Encoder WordPress plugin (all versions before 2.4.7) permits unauthenticated remote attackers to inject persistent malicious scripts by supplying unsanitized email addresses through public-facing input fields. Because the CVSS scope is Changed (S:C), injected payloads execute in victim browsers rather than the server context, enabling session hijacking, credential theft, or malicious redirects against any visitor who loads an affected page. A publicly available proof-of-concept exists per WPScan reporting; no public exploit identified at time of analysis as actively exploited via CISA KEV.
Stored Cross-Site Scripting in the AI Chatbot & Workflow Automation by AIWU WordPress plugin (versions ≤1.4.14) allows injection of arbitrary web scripts via the unsanitized X-Forwarded-For HTTP request header. The injected payload persists server-side and executes in the browser of any user who accesses an affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit has been identified at time of analysis, and no CISA KEV listing exists, though practical exploitation is further constrained by a 20-character storage limit on the injected value.
Insecure Direct Object Reference in NextGEN Gallery WordPress plugin through version 4.2.0 allows authenticated attackers with Subscriber-level privileges and the 'NextGEN Manage gallery' capability to delete gallery images belonging to other users, including their physical files from disk. The DELETE /imagely/v1/images/{id} REST endpoint validates only the 'NextGEN Manage gallery' capability, entirely omitting gallery ownership checks and the 'NextGEN Manage others gallery' permission - making cross-user image destruction possible at low privilege. No public exploit code identified at time of analysis and no CISA KEV listing; however, when deleteImg is enabled (default), exploitation results in irreversible file-level data loss beyond what the CVSS 4.3 integrity score alone conveys.
Local File Inclusion in the Advanced Database Cleaner - Premium WordPress plugin (versions up to and including 4.1.0) allows Subscriber-level authenticated users to include and execute arbitrary .php files via the 'template' parameter. The flaw, reported by Wordfence, carries a CVSS score of 8.8 and can be escalated to full remote code execution when combined with a file upload primitive, while no public exploit identified at time of analysis.
Sensitive credential exposure in the All in One SEO WordPress plugin (versions up to and including 4.9.7) allows authenticated contributors to harvest API tokens, OAuth credentials, and license keys directly from rendered page source. The plugin passes unmasked internal configuration data to the browser via WordPress's wp_localize_script() mechanism in post editor contexts, making sensitive values accessible to any user with contributor-level access or above. No public exploit code or active exploitation has been identified at time of analysis, but exposed credentials carry secondary risk - compromised API/OAuth tokens could enable account takeover or abuse of connected third-party services.
PHP Object Injection in the Boost plugin for WordPress (versions up to and including 2.0.3) allows unauthenticated remote attackers to inject arbitrary PHP objects via the STYXKEY-BOOST_USER_LOCATION cookie. The vulnerability stems from unsafe deserialization of attacker-controlled cookie data; while the plugin itself ships no usable POP (property-oriented programming) chain, exploitation becomes high-impact when any other installed plugin or theme provides one. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthorized template creation in the Xpro Addons for Elementor WordPress plugin exposes sites to unauthenticated content injection via a missing capability check on the get_content_editor AJAX function. All plugin versions through 1.5.0 are affected, allowing any remote attacker without credentials to create and publish Xpro templates on targeted WordPress sites. No public exploit identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote exploitability against default installations with no preconditions.
Unauthenticated SQL injection in the PixelYourSite Boost plugin for WordPress (versions up to and including 2.0.3) allows remote attackers to extract sensitive database contents via time-based blind SQLi in the 'current_url' and 'user_name' parameters. Wordfence reported the issue with a CVSS 7.5 (confidentiality-only impact); no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in the Logo Manager For Enamad WordPress plugin (versions up to and including 0.7.4) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'title' attribute of three shortcodes - vc_enamad_namad, vc_enamad_shamed, and vc_enamad_custom. The injected payload executes in the browser of any user who subsequently visits the compromised page, enabling session hijacking, credential theft, or malicious redirects against site visitors and administrators. No public exploit code or active exploitation has been identified at time of analysis; however, the low privilege requirement (contributor) broadens the realistic attacker pool on multi-author WordPress sites.
Stored Cross-Site Scripting in the Faces of Users WordPress plugin (all versions through 0.0.3) allows authenticated attackers with Contributor-level access or above to inject persistent malicious JavaScript via the 'default' attribute of the 'facesofusers' shortcode. Once injected, the payload executes silently in the browser of any user who visits the compromised page, enabling session theft, credential harvesting, or malicious redirects targeting higher-privileged users including administrators. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Cross-Site Request Forgery chained to Stored Cross-Site Scripting in the Word 2 Cash WordPress plugin (versions ≤ 0.9.2) allows unauthenticated remote attackers to plant persistent JavaScript payloads inside the WordPress admin panel. The attack succeeds because the plugin's settings handler (w2c_admin()) performs no nonce verification, no input sanitization before storage, and no output escaping on retrieval - meaning a forged POST from any attacker-controlled page is indistinguishable from a legitimate admin save. No public exploit or CISA KEV listing has been identified at time of analysis, but the CVSS score of 6.1 with Changed scope reflects real post-exploitation reach within the admin context once triggered.
Cross-Site Request Forgery in the Child Height Predictor by Ostheimer WordPress plugin (all versions through 1.3) allows unauthenticated remote attackers to modify plugin settings by tricking an authenticated administrator into visiting a malicious page. The vulnerability stems from a complete absence of nonce verification in the options() function - neither wp_nonce_field() in the form template nor check_admin_referer()/wp_verify_nonce() in the handler - meaning any forged POST request from an admin session will be accepted and persisted to the database. No public exploit has been identified at time of analysis, and CVSS scores this as medium severity (4.3), which aligns with the limited integrity impact (settings modification only, no confidentiality or availability loss).
Cross-Site Request Forgery in the Bottom Bar WordPress plugin (all versions up to and including 0.1.7) allows unauthenticated attackers to modify plugin configuration by tricking a logged-in administrator into visiting a malicious page. All three administrative settings forms - main settings, sharing services, and restore defaults - lack both wp_nonce_field() output and server-side check_admin_referer() validation in bottom-bar-admin.php, meaning any POST to those endpoints is processed without request authenticity checks. No public exploit has been identified at time of analysis, no patched version has been confirmed, and the vulnerability is not listed in CISA KEV.
Stored Cross-Site Scripting in the General Options WordPress plugin (versions up to and including 1.1.0) allows authenticated attackers holding Administrator-level privileges to persist malicious JavaScript in the Contact Number settings field, which executes in the browser of any administrator who subsequently visits the plugin's settings page. The flaw is rooted in the misapplication of sanitize_text_field() for output escaping - a function that strips HTML tags but does not encode double-quote characters, enabling attribute context breakout when the stored value is echoed inside a double-quoted HTML attribute. WordPress's wp_magic_quotes backslash-prefixing mechanism provides no protection here because HTML parsers treat the backslash as a literal character rather than an escape sequence. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.
Time-based blind SQL injection in the Read More & Accordion WordPress plugin (slug: expand-maker) through version 3.5.7 enables authenticated administrators to exfiltrate arbitrary database contents, including administrator password hashes, by manipulating the orderby GET parameter. The flaw exists in two data-retrieval functions in ReadMoreData.php, where user input bypasses effective sanitization and is concatenated unquoted into an ORDER BY SQL clause. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, though the high-confidentiality CVSS impact (C:H) reflects genuine data-exposure potential.
Authentication bypass in the Oliver POS WooCommerce Point of Sale WordPress plugin (all versions through 2.4.2.6) allows unauthenticated remote attackers to gain full access to the plugin's REST API namespace by exploiting PHP type juggling in the permission callback. On fresh installations where the admin has not yet completed the connection wizard, the stored authorization token is unset (PHP false), and sending the header 'OliverAuth: 0' satisfies the loose comparison '0' == false, returning true and granting unrestricted access to all /wp-json/pos-bridge/* endpoints. Successful exploitation enables reading administrator account details, updating user profiles including email addresses, deleting non-admin users, and ultimately resetting the admin email to achieve full WordPress site takeover. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in the Amazon Scraper WordPress plugin (submone, all versions through 1.1) allows unauthenticated remote attackers to modify plugin settings and inject persistent malicious scripts by tricking an authenticated site administrator into clicking a crafted link. The root cause is missing or incorrect nonce validation across multiple functions in amazon-admin.php (identified at lines 13, 26, 45, and 49). No public exploit has been identified at time of analysis, and the plugin has not been added to the CISA KEV catalog, but the Wordfence-reported disclosure includes direct source code references making exploitation straightforward for a motivated attacker.
Settings-reset CSRF in the Remove Yellow BGBOX WordPress plugin (all versions up to and including 1.0) allows unauthenticated remote attackers to overwrite the plugin's stored configuration by tricking a logged-in site administrator into loading a forged request. The vulnerability stems from absent nonce validation on the rybb_api_settings page, confirmed by Wordfence with direct source code references to admin/rybb_api_settings.php and includes/functions.php. No public exploit code or CISA KEV listing has been identified at time of analysis, and the limited integrity impact keeps real-world priority low.
Stored Cross-Site Scripting in the Diagnosis Generator (診断ジェネレータ作成プラグイン) WordPress plugin allows any subscriber-level authenticated user to write arbitrary JavaScript into WordPress theme files by exploiting a missing capability check in themeFunc(). The payload persists in theme files and executes in every site visitor's browser upon loading any page containing the diagnosis form shortcode, giving a single low-privilege attacker persistent, cross-user script execution. No public exploit has been identified at time of analysis, but the subscriber-level access requirement makes this a broad risk on any WordPress site with open user registration.
Server-side request forgery in the Nexa Blocks WordPress plugin (versions up to and including 1.1.1) exposes internal network infrastructure to unauthenticated remote attackers by combining an unvalidated URL passthrough with a publicly leaked authentication nonce. The plugin's import_demo() function at template.php:242 forwards an attacker-supplied URL directly to WordPress's wp_remote_get() with no scheme restriction, host allowlist, or RFC-1918 blocklist, and the nexa_blocks_nonce that gates this AJAX endpoint is serialized into every public-facing page's HTML via wp_localize_script, nullifying the intended access control entirely. No public exploit has been identified at time of analysis and this is not listed in CISA KEV, but the effective authentication bypass and trivial exploitation path elevate practical risk substantially above what the CVSS 5.4 score alone communicates.
Privilege escalation in the Read More & Accordion WordPress plugin (versions up to and including 3.5.7) allows authenticated low-privileged users granted import rights through the plugin's role settings to write arbitrary rows into the wp_users and wp_usermeta tables, effectively creating a new administrator account. The flaw stems from the RadMoreAjax::importData function failing to restrict target database tables and to validate imported data. No public exploit identified at time of analysis, though the vulnerability was disclosed by Wordfence threat intelligence researchers.
Cross-Site Request Forgery in the Sentence To SEO WordPress plugin (all versions up to and including 1.0) allows unauthenticated remote attackers to inject persistent malicious scripts and overwrite plugin settings by forging admin form submissions against the unprotected create_admin_page() function. Because the CVSS vector carries Changed scope (S:C), a successfully forged request can achieve Stored XSS within the WordPress admin context, crossing the boundary from the plugin into the administrator's browser session. No public exploit code or active exploitation has been identified at time of analysis, and no KEV listing exists, but the attack class is well-understood and exploitation templates for WordPress CSRF-to-XSS chains are widely available.
Cross-Site Request Forgery in the BLOGCHAT Chat System WordPress plugin (all versions through 1.3.6.3) enables unauthenticated remote attackers to both update plugin settings and inject persistent malicious web scripts by tricking an authenticated site administrator into clicking a crafted link. The vulnerability stems from missing or incorrect nonce validation across multiple functions in wp-blogchat-widget.php (lines 208, 215, 222, 293), making it a compound CSRF+Stored XSS risk with Changed scope (S:C) in the CVSS rating. No public exploit code or CISA KEV listing has been identified at time of analysis.
Privilege escalation in the BeycanPress Account Switcher WordPress plugin (versions up to and including 1.0.2) allows authenticated Subscriber-level users to hijack any account, including Administrator, by abusing a loose PHP comparison in the rememberLogin REST endpoint. No public exploit is identified at the time of analysis, but the issue is trivially reproducible from the disclosed root cause and the plugin source on WordPress.org is publicly indexable.
Reflected Cross-Site Scripting in the VatanSMS WP SMS WordPress plugin (all versions through 1.01) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized `page` parameter, executing in the context of a logged-in administrator's browser session. Exploitation requires social engineering an administrator into clicking a crafted link, making this a medium-severity but realistic threat vector for WordPress site takeover or credential theft. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Authorization bypass in the TypeSquare Webfonts for ConoHa WordPress plugin (all versions through 2.0.4) allows authenticated attackers with subscriber-level access to arbitrarily modify site-wide font configuration by submitting a POST request to any wp-admin page. The plugin fails to verify that the requesting user has permission to alter settings such as typesquare_auth (fontThemeUseType), show_post_form, and typesquare_fonttheme (CWE-862). Compounding the issue, when fontThemeUseType values 1 or 3 are targeted, nonce verification is also absent, making those specific code branches additionally exploitable via cross-site request forgery against higher-privileged users. No public exploit has been identified at time of analysis, and no confirmed patched version has been released.
Reflected Cross-Site Scripting in the SponsorMe plugin for WordPress (all versions through 0.5.2) allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by tricking an authenticated user - likely a WordPress administrator - into clicking a specially crafted wp-admin/admin.php URL. The PHP_SELF superglobal is reflected unsanitized in two distinct locations within the same vulnerable function: a form action attribute (sponsorme.php:440) and an anchor href attribute (sponsorme.php:475), doubling the attack surface. No patch has been identified at time of analysis, and no public exploit or CISA KEV listing has been confirmed.
Cross-Site Request Forgery in the JaviBola Custom Theme Test WordPress plugin (all versions through 2.0.5) enables unauthenticated remote attackers to silently replace the site's active theme by forging a request that modifies the `jbct_theme` option. Exploitation requires social-engineering a logged-in site administrator into clicking a crafted link - the CVSS UI:R requirement reflects this dependency. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Cross-Site Request Forgery in the Bigfishgames Syndicate WordPress plugin (all versions through 1.2) enables unauthenticated remote attackers to reset and overwrite plugin settings by forging admin-panel requests. The vulnerability resides in the bigfishgames_syndicate_submenu() function, which lacks proper WordPress nonce validation, meaning any crafted HTTP request bearing a valid admin session will be accepted as legitimate. Exploitation requires tricking an authenticated site administrator into triggering the forged request; no public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.
Reflected Cross-Site Scripting in the Correct Prices WordPress plugin (versions up to and including 1.0) exposes any site running this plugin to script injection via crafted URLs. The correct_prices_page() function writes the raw value of $_SERVER['PHP_SELF'] into a form's action attribute without calling esc_url() or esc_attr(), allowing an attacker to break out of the HTML attribute context and inject arbitrary markup. CVSS vector PR:N confirms no authentication is required from the attacker, though exploitation is limited by a required user interaction (UI:R) - a victim must be tricked into following a specially crafted link. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code was identified at time of analysis.
Stored Cross-Site Scripting in the Anomify AI WordPress plugin (versions ≤ 0.3.6) allows authenticated administrators to persist malicious scripts in the plugin's settings that execute in any user's browser upon visiting the settings page. The flaw exists because the plugin applies sanitize_text_field() to the anomify_api_key input - a function that strips HTML tags but does not encode double-quote characters - then echoes the stored value directly into an HTML attribute context (value="...") without the appropriate esc_attr() call. No public exploit code has been identified at time of analysis, and CISA KEV does not list this CVE; the CVSS score of 4.4 reflects the high privilege bar and high complexity required to exploit.
Unauthenticated SQL injection in the Creative Mail - Easier WordPress & WooCommerce Email Marketing plugin (versions up to and including 1.6.9) allows remote attackers to append arbitrary SQL clauses through the 'checkout_uuid' parameter handled by the has_checkout_consent() method. The flaw stems from missing escaping and the absence of a prepared statement, enabling extraction of sensitive database contents from any WordPress site running the vulnerable plugin. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Privilege escalation in the Easy Elements for Elementor WordPress plugin (versions up to and including 1.4.4) allows unauthenticated remote attackers to register accounts with the 'administrator' role, granting full site takeover. The flaw exists in the 'easyel_handle_register' function which fails to validate or restrict the user role parameter submitted during registration. No public exploit identified at time of analysis, but the trivial nature of the bug and Wordfence's disclosure make weaponization straightforward.
SQL Injection in the Infility Global WordPress plugin (all versions through 2.15.16) allows authenticated attackers holding only a Subscriber-level account to append arbitrary SQL to existing database queries and extract sensitive information. The vulnerability originates in the show_control_data::post_list() function, which is registered as an admin menu page gated only by the 'read' capability - the lowest WordPress capability tier. With CVSS C:H and no integrity or availability impact, the primary real-world risk is wholesale database exfiltration on any site with open user registration. No public exploit has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Stored Cross-Site Scripting in the CVMH Sticky plugin for WordPress (versions ≤2.5.6) enables authenticated contributors to inject persistent JavaScript via the `readmoretext` attribute of the `[cvmh-sticky]` shortcode. The payload executes in the browsers of any visitor loading a page containing the injected shortcode, enabling session hijacking, credential theft, or privilege escalation by targeting administrators. No public exploit is identified at time of analysis and this vulnerability is not listed in CISA KEV, but Wordfence has confirmed the flaw with direct code-level references.
Reflected XSS in the LJ Comments Import: Reloaded WordPress plugin (all versions ≤ 0.97.1) enables unauthenticated remote attackers to inject and execute arbitrary JavaScript in victim browsers by exploiting two distinct unsanitized echo points for the PHP_SELF variable in lj_comments_import.php (lines L129 and L161). The attack requires tricking an authenticated WordPress user into clicking a crafted link, making session hijacking and unauthorized administrative actions the primary post-exploitation risk. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity (AC:L, PR:N) and Changed scope make this a realistic threat to sites where the plugin is active.
Unauthenticated remote code execution in the ProSolution WP Client WordPress plugin (versions ≤ 2.0.0) allows attackers to upload malicious PHP files to a web-accessible directory by abusing an array validation mismatch in its upload handler. Because only the first file in a multi-file upload array is checked for extension and MIME type while the remaining files are processed unchecked, attackers can pair a benign first file with a PHP webshell to achieve full code execution on the host. No public exploit identified at time of analysis, but the high CVSS 9.8 score and trivially scriptable nature place this in the realistic mass-exploitation tier for WordPress plugins.
Cross-Site Request Forgery in the Games Catalog WordPress plugin (versions ≤ 1.2.0) enables unauthenticated attackers to delete arbitrary game catalog entries and their associated WordPress posts by tricking a logged-in site administrator into clicking a crafted link. The vulnerable gc_crud() function in admin-crud.php processes the action=delete parameter via a GET request with no wp_verify_nonce() or check_admin_referer() call, bypassing WordPress's standard CSRF defenses entirely. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack surface is fully visible in the public WordPress plugin Trac repository, making it trivially constructible.
Arbitrary file read and deletion in the Kirki - Freeform Page Builder plugin for WordPress (versions through 6.0.6) allows unauthenticated remote attackers to read and delete files within the WordPress uploads base directory by abusing the 'downloadZIP' function. The flaw stems from insufficient path validation and a missing capability check, and was reported by Wordfence; no public exploit identified at time of analysis.
Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.6) allows authenticated attackers with subscriber-level privileges to enumerate and read all frontend form structures and stored visitor submission data, including contact details and messages submitted through any site form powered by the plugin. The flaw originates in missing authorization checks on an AJAX handler (Ajax.php, line 675), meaning any logged-in user - including the lowest-privilege role WordPress assigns - can exfiltrate sensitive visitor-submitted information without any administrative context. No public exploit or CISA KEV listing has been identified at time of analysis, but the low privilege barrier and network-accessible attack vector make this a realistic data exposure risk for any multi-user or public-registration WordPress site running the affected plugin.
Stored cross-site scripting via missing authorization in Funnel Builder for WooCommerce Checkout (FunnelKit) plugin versions prior to 3.15.0.3 allows remote unauthenticated attackers to write arbitrary content to the plugin's External Scripts global setting through an exposed public AJAX endpoint. Injected JavaScript executes in the browser of every visitor to the WooCommerce checkout page, enabling credit card skimming, session theft, and credential harvesting. Publicly available exploit code exists and Sansec research indicates the flaw is being exploited in the wild against live e-commerce sites.