Skip to main content

WordPress

17379 CVEs vendor

Monthly

CVE-2026-4885 CRITICAL Act Now

Unauthenticated arbitrary file upload in the Piotnet Addons for Elementor Pro WordPress plugin (versions through 7.1.70) allows remote attackers to upload dangerous file types and potentially achieve remote code execution. The flaw stems from an incomplete extension blacklist in the 'pafe_ajax_form_builder' AJAX handler that fails to block executable wrappers such as .phar and .phtml. No public exploit identified at time of analysis, but the CVSS 9.8 score and unauthenticated network attack vector make this a high-priority issue for any WordPress site running the plugin with a file-upload form field.

File Upload WordPress RCE Elementor
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-15609 HIGH POC PATCH This Week

The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API and retrieve sensitive customer information, like past orders, PII, etc.

WordPress Information Disclosure
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-6495 HIGH POC PATCH This Week

The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

WordPress XSS
NVD WPScan VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-6381 HIGH POC PATCH This Week

The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks.

WordPress Path Traversal
NVD WPScan
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-6379 HIGH POC PATCH This Week

The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks.

WordPress SQLi
NVD WPScan
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-3220 HIGH POC PATCH This Week

The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.

WordPress XSS
NVD WPScan
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-1631 MEDIUM POC PATCH This Month

The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.

Authentication Bypass WordPress
NVD WPScan
CVSS 3.1
5.4
EPSS
0.0%
CVE-2018-25335 CRITICAL POC Act Now

WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the upload.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP Authentication Bypass File Upload
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2018-25329 HIGH POC This Week

WordPress Plugin WP with Spritz 1.0 contains a remote file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting file paths into the url parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress LFI
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2018-25326 HIGH POC This Week

Google Drive for WordPress 2.2 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by injecting directory traversal sequences in the file_name. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP WordPress Google
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2018-25325 HIGH POC This Week

Woocommerce CSV Importer 3.3.6 contains a path traversal vulnerability that allows any registered user to delete arbitrary files by submitting unescaped filenames through the delete_export_file AJAX. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP WordPress
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2018-25324 MEDIUM POC This Month

Simple Fields 0.2 through 0.3.5 WordPress Plugin contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting null bytes into the. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress RCE LFI Apache PHP
NVD Exploit-DB VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-8719 HIGH This Week

Authenticated attackers can escalate privileges to Administrator in AI Engine WordPress plugin version 3.4.9 through improper authorization in the MCP OAuth bearer-token implementation. The plugin accepts any valid OAuth token for Model Context Protocol (MCP) access without verifying administrator privileges, allowing low-privileged users (Subscriber+) to execute admin-level MCP tools. No public exploit or active exploitation identified at time of analysis.

WordPress Privilege Escalation
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2021-47977 HIGH POC This Week

WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal PHP
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2021-47979 HIGH POC This Week

WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal PHP
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2021-47957 MEDIUM POC This Month

Cookie Law Bar 1.2.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unsanitized input to the Bar Message field. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Information Disclosure
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37235 MEDIUM POC This Month

WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2020-37233 MEDIUM POC This Month

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2025-4202 MEDIUM This Month

Authorization bypass in Multicollab WordPress plugin allows authenticated attackers with Subscriber-level privileges to inject comments into arbitrary editorial collaborations. This affects all versions up to and including 5.2. While CVSS rates this 4.3 (Low), the ability for low-privileged users to pollute editorial workflows could enable social engineering, misinformation injection into content review processes, or disruption of collaborative editing. EPSS data not provided. No active exploitation confirmed (not in CISA KEV). Patch available in version 3519252 per WordPress plugin repository changeset.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8681 MEDIUM This Month

Authorization bypass in Essential Chat Support plugin for WordPress versions ≤1.0.1 allows unauthenticated remote attackers to reset all plugin configuration settings to defaults via a single POST request. The vulnerability stems from missing authorization checks in the settings reset function, enabling tampering with general settings, display rules, custom CSS, and WooCommerce integration without credentials. CVSS 5.3 indicates medium severity with network-accessible exploitation requiring no privileges or user interaction. No public exploit identified at time of analysis, though the attack is trivial given the simple POST parameter requirement.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2021-47965 CRITICAL POC Act Now

WordPress Plugin WP Super Edit 2.5.4 and earlier contains an unrestricted file upload vulnerability in the FCKeditor component that allows attackers to upload dangerous file types without validation. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE WordPress
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2021-47959 HIGH POC This Week

WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries with duplicated. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service WordPress
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-7563 MEDIUM This Month

Authenticated attackers with subscriber-level access can add arbitrary notes to any order in the Classified Listing - AI-Powered Classified ads & Business Directory Plugin (all versions up to 5.3.10) due to missing authorization checks, triggering unsolicited notification and moderation emails to listing owners. The plugin fails to verify user permissions before allowing note creation, enabling privilege escalation within WordPress installations where subscriber accounts exist. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8425 MEDIUM This Month

The Notify Odoo WordPress plugin up to version 1.0.1 contains a Cross-Site Request Forgery (CSRF) vulnerability in the _updateSettings function that allows unauthenticated attackers to modify critical plugin configuration-including the Notify Odoo URL, notification settings, tracking image configuration, and allowed IP addresses-by tricking site administrators into clicking a malicious link. The vulnerability requires user interaction (administrator action) but poses a direct integrity risk by enabling attackers to redirect plugin functionality to attacker-controlled servers or disable legitimate notification and tracking features.

CSRF WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6415 MEDIUM This Month

Stored Cross-Site Scripting in Advanced Custom Fields: Font Awesome plugin for WordPress up to version 5.0.2 allows authenticated attackers with Subscriber-level access to inject arbitrary JavaScript via insufficiently validated JSON field values in the update_preview() function, resulting in script execution whenever any user visits an affected page. The vulnerability requires user interaction only in the sense that a victim must visit a page containing injected content; the attacker needs only Subscriber-level authentication to craft the malicious payload.

XSS WordPress Advanced Custom Fields
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6403 HIGH This Week

Remote unauthenticated attackers can exploit a path traversal vulnerability in Quick Playground plugin for WordPress (versions ≤1.3.3) to exfiltrate sensitive server files including wp-config.php credentials. The flaw in the qckply_zip_theme() function allows arbitrary filesystem traversal via an unsanitized 'stylesheet' parameter, triggering creation of downloadable ZIP archives containing any server-accessible files. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicating trivial remote exploitation requiring no authentication, this represents an immediate confidentiality risk for all sites running affected versions, though no CISA KEV listing or public exploit code has been identified at time of analysis.

WordPress Path Traversal
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-4683 MEDIUM This Month

Unauthenticated attackers can modify Smartcat API credentials in the Smartcat Translator for WPML plugin through a missing capability check on the 'routeData' REST endpoint, allowing hijacking of translation services or denial of service. All versions through 3.1.77 are affected. The vulnerability requires only network access and no user interaction, making it remotely exploitable by any unauthenticated actor against default WordPress configurations running the vulnerable plugin.

Authentication Bypass Denial Of Service WordPress
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-7046 MEDIUM This Month

Time-based blind SQL injection in NEX-Forms Ultimate Forms Plugin for WordPress through version 9.1.12 allows authenticated administrators to extract sensitive database information by injecting arbitrary SQL queries via the insufficiently escaped 'table' parameter. The vulnerability requires administrator-level access and is not actively exploited in public records, but poses significant risk to multi-admin WordPress installations where admin accounts may be compromised or untrusted.

SQLi WordPress
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-5229 CRITICAL Act Now

Authentication bypass in Form Notify WordPress plugin versions ≤1.1.10 allows remote unauthenticated attackers to gain administrator access through LINE OAuth flow manipulation. Attackers exploit the plugin's trust of the 'form_notify_line_email' cookie when LINE OAuth doesn't return an email address, authenticating as any site user by injecting a cookie containing the victim's email while completing OAuth with their own LINE account. Wordfence reported this vulnerability with proof-of-concept code available via GitHub commit diffs. EPSS data not available, but the CVSS 9.8 score and network vector with no authentication requirement indicate critical severity. No CISA KEV listing at time of analysis.

Authentication Bypass WordPress
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-6228 HIGH This Week

Privilege escalation in Frontend Admin by DynamiApps plugin allows authenticated attackers with editor-level access to elevate privileges to administrator. The vulnerability exists due to insufficient authorization checks when configuring user role options in edit_user forms combined with overly permissive capabilities on the admin_form post type. Attackers can bypass UI restrictions by directly manipulating POST data to include 'administrator' in role_options, then use the crafted form to assign themselves administrator privileges. CVSS 8.8 reflects network-accessible, low-complexity exploitation requiring only low privileges (editor account). No public exploit code identified at time of analysis, though the attack chain is straightforward for authenticated users. EPSS data not provided, but the technical barrier is minimal once editor access is obtained.

Privilege Escalation PHP WordPress
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-4094 HIGH This Week

Authenticated attackers with Contributor-level access can delete entire multi-currency configurations in FOX Currency Switcher Professional for WooCommerce by visiting any wp-admin page with a specific parameter, and the lack of nonce verification allows CSRF-based exploitation against administrators. Confirmed actively exploited (CISA KEV). CVSS 8.1 reflects high integrity and availability impact, with EPSS data unavailable. WordPress plugin affects versions ≤1.4.5, with patch released in version 1.4.6 per Wordfence advisory. The dual attack vectors (direct authenticated abuse and CSRF) significantly increase real-world risk for WooCommerce installations using this currency management plugin.

Authentication Bypass CSRF WordPress
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-6646 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in The7 WordPress theme versions up to 14.3.2 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'title' parameter of the 'dt_default_button' shortcode. The injected scripts execute in the context of any user who views the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code has been identified at time of analysis.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4029 HIGH This Week

Unauthenticated attackers can export complete database tables from WordPress Multisite installations running Database Backup for WordPress plugin ≤2.5.2, exposing credentials, user data, and site content. The vulnerability stems from improper enforcement of authorization check return values, bypassing security controls. Exploitation is limited to legacy WordPress Multisite environments using the deprecated is_site_admin() function. CVSS 7.5 (High) with network attack vector and no authentication required. No CISA KEV listing indicates limited widespread exploitation, though the unauthenticated remote access vector presents significant risk for affected configurations.

Authentication Bypass Information Disclosure WordPress
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4030 HIGH This Week

Arbitrary file read and deletion in Database Backup for WordPress (versions ≤2.5.2) allows unauthenticated attackers on WordPress Multisite installations to access sensitive files and potentially achieve site takeover. The vulnerability stems from improper authorization enforcement combined with user-controlled backup directory parameters, exploitable only in Multisite environments using the deprecated is_site_admin() function. CVSS 8.1 with high attack complexity (AC:H) reflects the Multisite-only prerequisite. No CISA KEV listing indicates limited observed exploitation despite the critical authorization bypass nature.

Authentication Bypass Information Disclosure WordPress
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-4031 HIGH This Week

Authorization bypass in Database Backup for WordPress plugin (≤2.5.2) enables unauthenticated attackers to redirect scheduled backup files to publicly accessible directories and retrieve them before cleanup. By poisoning the wp_db_temp_dir parameter via wp-cron.php, attackers can intercept database backups containing credentials, password hashes, and PII. Backup filenames follow predictable patterns (database name, table prefix, date, Swatch Internet Time), making interception reliable. Exploitation requires administrator-configured scheduled backups but no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N). EPSS and KEV data not provided; Wordfence-reported vulnerability with publicly accessible source code references enabling attack reproduction.

Authentication Bypass PHP Information Disclosure WordPress
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-6514 HIGH This Week

Server-Side Request Forgery (SSRF) in InfusedWoo Pro plugin for WordPress versions up to 5.1.2 allows unauthenticated remote attackers to exploit the popup_submit function to read arbitrary files from the server and make unauthorized web requests to internal network resources. This vulnerability enables reconnaissance and potential access to internal services that should not be externally accessible, including cloud metadata endpoints, internal APIs, and localhost services. CVSS 7.5 (High) reflects network-accessible attack with no authentication required and high confidentiality impact. EPSS data not available; no active exploitation confirmed via CISA KEV at time of analysis.

SSRF WordPress
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-6512 CRITICAL Act Now

Unauthenticated attackers can permanently delete arbitrary WordPress content (posts, pages, WooCommerce products/orders) and manipulate post statuses in InfusedWoo Pro plugin versions up to 5.1.2 due to missing authorization checks. The CVSS 9.1 (Critical) score reflects network-accessible attack with no complexity barriers, though the Availability impact rating (A:N) appears inconsistent with the ability to mass-delete content. EPSS data unavailable; no CISA KEV listing or public exploit confirmed at time of analysis, but the WordPress ecosystem's large attack surface and clear Wordfence advisory make this a priority patching target for WooCommerce sites.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-6504 MEDIUM This Month

Stored Cross-Site Scripting in Royal Elementor Addons and Templates plugin for WordPress up to version 1.7.1058 allows authenticated attackers with Contributor-level privileges to inject arbitrary JavaScript via the 'title_tag' parameter in multiple widgets, with execution occurring when any user accesses the affected page. The vulnerability stems from insufficient input sanitization and output escaping on user-controlled parameters.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6206 MEDIUM This Month

MW WP Form plugin for WordPress allows unauthenticated attackers to extract data from password-protected, private, and draft posts via the _get_post_property_from_querystring() function due to insufficient access control checks on post retrieval. The vulnerability affects all versions up to 5.1.2 and requires only network access with no user interaction, enabling confidential content disclosure to unauthorized users.

Authentication Bypass Information Disclosure WordPress
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-6174 MEDIUM This Month

Stored cross-site scripting in CC Child Pages WordPress plugin up to version 2.1.1 allows authenticated attackers with Contributor-level access and above to inject arbitrary JavaScript via the 'more' parameter, which executes in the browsers of users viewing the compromised pages. CVSS 6.4 reflects the authentication gate but cross-site scope (C:L/I:L/S:C). No public exploit code or active exploitation confirmed at time of analysis.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6145 MEDIUM This Month

The User Registration & Membership WordPress plugin through version 5.1.5 allows unauthenticated attackers to bypass admin approval requirements and register accounts directly by sending a crafted request with action=createuser parameter, exploiting missing authorization checks in the account creation process. The vulnerability affects all installations of the plugin with default or custom configurations where the admin approval feature is enabled. CVSS 5.3 reflects limited confidentiality impact but integrity compromise through unauthorized account creation.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-6670 MEDIUM This Month

Path traversal in the Media Sync WordPress plugin (versions ≤1.4.9) enables authenticated attackers with Author-level access or above to read arbitrary files outside the intended uploads directory by injecting traversal sequences into the 'sub_dir' and 'media_items' parameters. The CVSS vector (C:H/I:N/A:N) confirms the impact is limited to confidentiality - file read only, with no write or deletion capability indicated. No public exploit has been identified at time of analysis, and CISA SSVC rates current exploitation as none with partial technical impact, consistent with the low EPSS probability of 0.45%.

Path Traversal WordPress Media Sync
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-6252 MEDIUM This Month

Stored Cross-Site Scripting in the Meta Field Block WordPress plugin (versions ≤1.5.2) allows authenticated contributors to inject persistent malicious scripts via the unsanitized 'tagName' block attribute. Any user who subsequently visits a page containing the injected block will execute the attacker's arbitrary JavaScript in their browser context. A vendor-released patch (1.5.3) is available; no public exploit has been identified and EPSS and SSVC signals both indicate low exploitation probability at this time.

XSS WordPress Meta Field Block Display Custom Fields In The Block Editor Without Coding
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3718 HIGH This Week

Stored cross-site scripting in the ManageWP Worker WordPress plugin (versions ≤ 4.9.31) allows unauthenticated remote attackers to inject arbitrary JavaScript via a crafted 'MWP-Key-Name' HTTP request header, which executes when an administrator later visits the plugin's connection management page with debug parameters. No public exploit identified at time of analysis, and the EPSS score is very low (0.07%, 22nd percentile), but the unauthenticated network attack vector and changed scope (S:C) keep this relevant for any site using the plugin.

XSS WordPress Managewp Worker
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-3694 MEDIUM This Month

Stored Cross-Site Scripting in the Bold Page Builder WordPress plugin (versions up to and including 5.6.8) allows authenticated attackers holding contributor-level access or higher to inject persistent malicious JavaScript via the 'text' attribute of the bt_bb_button shortcode. The script executes in the browser of any user who subsequently loads the compromised page, including administrators, enabling session hijacking or unauthorized action execution under victim identity. No active exploitation is confirmed - the vulnerability is absent from CISA KEV, carries an EPSS score of 0.03% (8th percentile), and SSVC designates exploitation status as none.

XSS WordPress Bold Page Builder
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-5395 HIGH This Week

Insecure Direct Object Reference in the WordPress Fluent Forms plugin (versions through 6.2.0) allows authenticated users with Fluent Forms manager-level privileges to bypass form-level access controls via the exportEntries function. Attackers can exfiltrate submissions from forms they should not access, export data from arbitrary database tables, and enumerate table names through error message disclosure. No public exploit identified at time of analysis, and EPSS probability is very low (0.03%) despite the high CVSS score.

Authentication Bypass WordPress Fluent Forms Customizable Contact Forms Survey Quiz Conversational Form Builder
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-5365 MEDIUM This Month

Cross-Site Request Forgery in the LatePoint WordPress booking plugin (all versions ≤ 5.3.2) allows unauthenticated attackers to cancel a logged-in customer's appointments without consent by delivering a forged HTTP request. The root cause is missing nonce verification in the request_cancellation() function within the customer cabinet controller. EPSS is negligible at 0.02% (7th percentile), SSVC classifies exploitation as none, and no public exploit code or active exploitation has been identified at time of analysis.

CSRF WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6506 HIGH This Week

Privilege escalation in the InfusedWoo Pro WordPress plugin (versions through 5.1.2) allows authenticated subscriber-level users to elevate themselves to Administrator by abusing the unprotected infusedwoo_gdpr_upddata() function to overwrite their wp_capabilities user meta. No public exploit identified at time of analysis, EPSS is very low (0.04%), and the issue is not listed in CISA KEV, but the technical impact is total once the simple authentication prerequisite is met.

Authentication Bypass Privilege Escalation WordPress Infusedwoo Pro
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6225 MEDIUM This Month

Time-based blind SQL injection in the Taskbuilder - Project Management & Task Management Tool With Kanban Board WordPress plugin (all versions through 5.0.6) enables authenticated attackers with Subscriber-level access or above to exfiltrate arbitrary data from the underlying database via the 'project_search' parameter. The vulnerability stems from unsanitized user input being passed into an unprepared SQL query, exposing confidential database contents including user credentials, configuration data, and application records. No public exploit code has been identified at time of analysis, EPSS probability is very low at 0.03%, and CISA has not added this to the Known Exploited Vulnerabilities catalog.

SQLi WordPress Taskbuilder Project Management Task Management Tool With Kanban Board
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3892 HIGH This Week

Arbitrary file deletion in the Motors - Car Dealership & Classified Listings Plugin for WordPress (versions up to and including 1.4.107) allows authenticated users with subscriber-level access or higher to delete arbitrary files on the server by supplying a malicious filesystem path through the become-dealer logo upload flow. The flaw was reported by Wordfence and carries a CVSS of 8.1, but EPSS remains very low (0.05%) and CISA SSVC reports no observed exploitation, indicating risk is theoretical rather than active. No public exploit identified at time of analysis.

Information Disclosure WordPress Motors Car Dealership Classified Listings Plugin
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-5193 MEDIUM This Month

Privilege escalation in Essential Addons for Elementor (all versions ≤ 6.5.13) allows authenticated WordPress users with Author-level access or above to create new accounts with elevated roles such as Editor by exploiting the plugin's `register_user` function, which applies an incomplete role denylist that blocks only 'administrator' while leaving other privileged roles unguarded. The network-accessible, low-complexity attack vector (AV:N/AC:L/PR:L) makes this realistic for any site with the plugin's registration widget exposed and populated with low-trust authors. No public exploit has been identified at time of analysis and CISA KEV status is absent, but the plugin's broad WordPress deployment increases aggregate exposure.

Privilege Escalation WordPress Essential Addons For Elementor Popular Elementor Templates Widgets Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-6510 CRITICAL Act Now

Authentication bypass and privilege escalation in the InfusedWoo Pro WordPress plugin (versions through 5.1.2) lets unauthenticated remote attackers seize administrator accounts by abusing the iwar_save_recipe() AJAX handler. Because the endpoint lacks nonce verification and capability checks, attackers can plant a malicious automation recipe that chains an HTTP post trigger with an auto-login action, so visiting a crafted URL returns valid authentication cookies for any chosen user. Reported by Wordfence with a CVSS of 9.8; no public exploit identified at time of analysis, and EPSS sits at 0.19% (40th percentile) despite the SSVC assessment of total technical impact and automatable exploitation.

Authentication Bypass Privilege Escalation WordPress Infusedwoo Pro
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-6271 CRITICAL Act Now

Unauthenticated arbitrary file upload in the Career Section WordPress plugin (versions through 1.7) enables remote code execution by abusing the CV upload handler, which lacks file type validation. Any attacker who can reach the upload endpoint can drop executable PHP files and gain code execution on the underlying WordPress host. No public exploit identified at time of analysis, but the CVSS 9.8 rating combined with SSVC 'automatable: yes' indicates this is a strong candidate for opportunistic mass exploitation once tooling appears.

File Upload WordPress RCE Career Section
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-8181 CRITICAL POC Act Now

Authentication bypass in the Burst Statistics WordPress plugin versions 3.4.0 through 3.4.1.1 allows unauthenticated remote attackers to impersonate any administrator whose username they know by supplying an arbitrary Basic Authentication password. The flaw resides in flawed return-value handling within the `is_mainwp_authenticated()` function used to validate application passwords from the Authorization header, enabling privilege escalation per request. No public exploit identified at time of analysis, and EPSS is low (0.26%), but the CVSS 9.8 score and SSVC 'total' technical impact mark it as a high-severity authentication bypass worth prioritizing.

Authentication Bypass Google Privilege Escalation WordPress
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-6417 MEDIUM This Month

Reflected Cross-Site Scripting in the GLS Shipping for WooCommerce WordPress plugin (all versions through 1.4.0) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'failed_orders' parameter, executing in victims' browsers when they interact with a crafted link. The CVSS vector (PR:N, S:C) confirms no authentication is needed by the attacker, though user interaction is required, and the Changed scope rating means successful exploitation can affect resources beyond the plugin's own context - such as session tokens or other page content. No active exploitation is identified at time of analysis; EPSS stands at 0.06% (17th percentile) and CISA SSVC assigns exploitation status of 'none', making this a theoretical rather than emergent threat.

XSS WordPress
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-5396 HIGH This Week

Authorization bypass in the Fluent Forms WordPress plugin (versions ≤6.1.21) allows authenticated Fluent Forms Managers to read, modify, annotate, and delete submissions belonging to forms outside their assigned scope by tampering with a user-controlled form_id query parameter. The flaw stems from the SubmissionPolicy class trusting client-supplied input for authorization decisions, granting cross-form access despite role restrictions. No public exploit identified at time of analysis, and EPSS exploitation probability remains low at 0.03%.

Authentication Bypass WordPress
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-5243 MEDIUM This Month

Stored cross-site scripting in The Plus Addons for Elementor WordPress plugin (all versions through 6.4.11) allows authenticated contributors to persistently inject arbitrary JavaScript via the `menu_hover_click` parameter of the Navigation Menu Lite widget. The CVSS scope change (S:C) confirms the payload executes in visiting users' browser contexts rather than the attacker's, enabling session hijacking, credential harvesting, or admin account takeover against any user who loads an affected page. EPSS is very low at 0.03% (8th percentile) and SSVC confirms no known exploitation, but the low privilege bar - contributor access, which is routinely granted on multi-author WordPress sites - elevates practical risk above what the medium CVSS score alone suggests.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3829 MEDIUM This Month

Missing authorization controls in the WP Encryption WordPress plugin (all versions through 7.8.5.10) allow any authenticated subscriber-level user to invoke the `wple_basic_get_requests` function and tamper with SSL lifecycle configuration - resetting SSL setup state, falsely marking SSL as complete, and altering plan selection options. The affected plugin automates Let's Encrypt certificate provisioning for WordPress sites, meaning successful exploitation can silently break or misrepresent a site's HTTPS posture. No public exploit code exists and no active exploitation is confirmed (not in CISA KEV); EPSS at 0.02% and SSVC exploitation rating of 'none' place this firmly in the low-urgency tier despite the low privilege bar.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-15345 MEDIUM This Month

Reflected Cross-Site Scripting in the MapGeo - Interactive Geo Maps WordPress plugin (all versions through 1.6.27) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'map' parameter of the display-map shortcode. Exploitation requires tricking an authenticated or anonymous site visitor into clicking a crafted URL, after which the injected script executes in the victim's browser within the plugin's page scope. No public exploit code or CISA KEV listing exists at time of analysis; EPSS probability is 0.06%, placing this in the 19th percentile of exploitation likelihood.

XSS WordPress
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-5361 MEDIUM This Month

Stored Cross-Site Scripting in Envira Gallery Lite (WordPress plugin, versions ≤ 1.12.4) enables authenticated attackers with Author-level access to inject persistent arbitrary JavaScript into gallery pages via the REST API. The attack exploits a context mismatch: the `arrows` gallery parameter is omitted from `sanitize_config_values()` sanitization, and `gallery_init()` escapes it with `esc_attr()` — a function designed for HTML attribute contexts, not inline JavaScript — allowing JavaScript expression injection that executes in any visitor's browser. No public exploit or active exploitation has been identified; EPSS is 0.01% and CISA KEV status is absent, placing this firmly in the low-immediate-risk tier despite its persistent, cross-user impact.

XSS WordPress Envira Gallery Image Photo Gallery Albums Video Gallery Slideshows More
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-7648 MEDIUM This Month

Payment bypass in LearnPress WordPress LMS Plugin (all versions ≤ 4.3.5) allows authenticated subscribers to enroll in any paid course at zero cost by manipulating a REST API parameter. The flaw stems from improper input handling in the add_to_cart() REST API endpoint where PHP's array_merge() permits attacker-supplied values to silently overwrite hardcoded order defaults - specifically the quantity field - causing the order total to resolve to $0 and bypassing all configured payment gateway enforcement. No public exploit code has been identified at time of analysis, and CISA KEV does not list this vulnerability; SSVC and EPSS both signal low current exploitation pressure, though the low-friction exploit path warrants prompt remediation on revenue-generating LMS deployments.

Authentication Bypass WordPress Learnpress Wordpress Lms Plugin For Create And Sell Online Courses
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7525 MEDIUM This Month

Authorization bypass in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.9) allows authenticated attackers with custom-level access or higher to circumvent the moderation and approval workflow by directly manipulating the POST body. The plugin's server-side PHP code in my-calendar-event-editor.php accepted the client-supplied event_approved parameter and used it to override the server-calculated event status, despite UI-level restrictions ostensibly limiting low-privilege users to draft-only submissions. Exploitation enables unauthorized event publishing, cancellation, or marking events private - integrity impacts limited to the event management workflow. No public exploit identified at time of analysis; EPSS (0.02%, 4th percentile) and SSVC (exploitation: none) both indicate negligible current exploitation interest.

Authentication Bypass WordPress My Calendar Accessible Event Manager
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-5486 MEDIUM This Month

SQL Injection in the Unlimited Elements for Elementor WordPress plugin (versions up to and including 2.0.7) allows authenticated attackers holding at least Contributor-level access to extract sensitive database contents by injecting arbitrary SQL into the 'data[filter_search]' parameter of the get_cat_addons AJAX action. The vulnerability is the product of two chained weaknesses: the plugin's normalizeAjaxInputData() function actively undoes WordPress's built-in magic-quote protection via stripslashes(), and the deprecated wpdb->_escape() method then fails to safely handle the exposed input before it is concatenated directly into a LIKE clause. Reported by Wordfence and tracked as EUVD-2026-30214, no public exploit code has been identified at time of analysis and CISA KEV does not list this CVE, though the confidentiality impact is rated High, enabling full database read access for a successful attacker.

SQLi WordPress Unlimited Elements For Elementor Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2020-37174 MEDIUM POC This Month

WOOF Products Filter for WooCommerce 1.2.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering XSS payloads in design. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress
NVD Exploit-DB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2020-37169 MEDIUM POC This Month

WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress LFI
NVD Exploit-DB
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-4609 HIGH This Week

Authenticated subscribers can bypass authorization gates and forcibly join any ProfileGrid group - including closed, paid, or restricted groups - through a missing capability check in the pm_invite_user function. Affects all ProfileGrid plugin versions up to 5.9.8.4. The vulnerability enables low-privilege users to circumvent membership restrictions and payment requirements, potentially exposing premium content and private community spaces. EPSS data not provided; no CISA KEV listing identified, indicating no confirmed widespread exploitation at time of analysis. CVSS 7.1 reflects high integrity impact due to authorization bypass capabilities.

Authentication Bypass WordPress
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-4607 MEDIUM This Month

Authentication bypass in ProfileGrid - User Profiles, Groups and Communities WordPress plugin up to version 5.9.8.4 allows authenticated Subscriber-level users to modify site-wide group settings through unprotected AJAX actions (pm_set_group_order, pm_set_group_items, pm_set_field_order). Attackers can alter group menu order, list order, icon display, and field ordering without authorization checks. No public exploit code or active exploitation has been identified; CVSS 4.3 (low-moderate severity) reflects limited impact scope to integrity without confidentiality or availability impact.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4608 MEDIUM This Month

ProfileGrid User Profiles plugin for WordPress versions up to 5.9.8.4 allow authenticated attackers with Subscriber-level access to execute blind SQL injection attacks via the 'rid' parameter due to insufficient input escaping and lack of prepared statement use. The vulnerability enables extraction of sensitive database information without user interaction. No public exploit code or active exploitation has been confirmed at this time.

SQLi WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-6177 HIGH This Week

Stored cross-site scripting in Custom Twitter Feeds plugin for WordPress versions ≤2.5.4 allows unauthenticated remote attackers to execute arbitrary JavaScript when malicious content enters cached tweet data. The vulnerability stems from the ctf_get_more_posts AJAX endpoint outputting cached tweet text through nl2br() without HTML escaping, accessible without authentication (CVSS:3.1/AV:N/AC:L/PR:N/UI:N). Attack requires either posting malicious tweets that the target site caches via its feed configuration, or leveraging other vulnerabilities to poison the tweet cache. No active exploitation confirmed at time of analysis. Wordfence identified the flaw with patch available in changeset 3519584.

XSS WordPress
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-3426 MEDIUM This Month

RTMKit Addons for Elementor plugin for WordPress allows authenticated attackers with Author-level access or higher to modify or reset site-wide widget configurations due to missing capability checks in the save_widget() and reset_all_widgets() functions. This privilege escalation vulnerability affects all versions up to 2.0.2 and enables unauthorized modification of widget data across the entire WordPress site, impacting site integrity and user experience.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3425 HIGH This Week

Local File Inclusion vulnerability in RTMKit Addons for Elementor plugin versions up to 2.0.2 allows authenticated attackers with Author-level privileges to include and execute arbitrary PHP files via the 'path' parameter in the 'get_content' AJAX action, enabling remote code execution. The vulnerability requires low-privilege WordPress account access (Author role or higher) and has a CVSS score of 8.8, indicating high impact across confidentiality, integrity, and availability. EPSS data not available, but exploitation requires specific WordPress role assignment, limiting attack surface to sites where untrusted users have Author-level access. No active exploitation confirmed by CISA KEV at time of analysis.

PHP LFI RCE WordPress Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-4782 MEDIUM This Month

Arbitrary file read in Avada Builder plugin for WordPress versions up to 3.15.2 allows authenticated attackers with Subscriber-level access to read arbitrary files on the server via the 'fusion_get_svg_from_file' function in the 'fusion_section_separator' shortcode. Sensitive information including configuration files, database credentials, and private keys can be exposed. The vulnerability was partially patched in 3.15.2 and fully patched in version 3.15.3.

RCE WordPress
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-4798 HIGH This Week

Time-based SQL injection in Avada Builder for WordPress allows remote unauthenticated attackers to extract sensitive database information via the 'product_order' parameter. CVSS 7.5 (High) reflects network-accessible attack vector with no authentication required, but exploitation is limited to specific deployments where WooCommerce was previously installed then deactivated. No active exploitation confirmed (not in CISA KEV), but vulnerability disclosed by Wordfence Threat Intelligence with technical details publicly available.

SQLi WordPress
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2515 MEDIUM This Month

Authenticated attackers with Subscriber-level access can modify the API key stored in the Hostinger Reach WordPress plugin (versions up to 1.3.8) due to missing capability checks in the AJAX handler, but only when the plugin is not yet connected to a site and the database contains no existing API key. The vulnerability allows unauthorized data modification via the 'hostinger_reach_connection_notice_action' action with CVSS 5.3 (network-accessible, high integrity impact, but requiring low-privilege authentication and non-standard conditions).

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3004 MEDIUM This Month

Stored Cross-Site Scripting in Snow Monkey Blocks WordPress plugin up to version 24.1.11 allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript via the 'data-slick' attribute, which executes in the browsers of all users who view the affected pages. The vulnerability stems from insufficient input sanitization and output escaping in block rendering functionality. CVSS 6.4 reflects the moderate severity; exploitation requires prior authentication and contributor access, limiting the attack surface to trusted WordPress users or accounts obtained through compromise.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14767 MEDIUM This Month

Stored Cross-Site Scripting in WPC Badge Management for WooCommerce plugin versions up to 3.1.6 allows authenticated attackers with Shop Manager-level access to inject arbitrary JavaScript via the 'text' attribute of the wpcbm_best_seller shortcode. The injected scripts execute in the browsers of any user visiting the affected page, enabling credential theft, session hijacking, or defacement. The vulnerability stems from insufficient input sanitization and output escaping in shortcode processing.

XSS WordPress
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-6965 MEDIUM This Month

Authenticated instructors in Tutor LMS versions up to 3.9.9 can manipulate course ownership logic via an attacker-controlled GET parameter to perform unauthorized operations on other instructors' courses, including deleting lessons, quizzes, assignments, and student data, or modifying course content and grades. The vulnerability stems from the `get_course_id_by()` function unconditionally trusting user-supplied input instead of validating course ownership, bypassing the plugin's primary authorization gate. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14033 MEDIUM This Month

Unauthenticated attackers can retrieve any support ticket content from the ilGhera Support System for WooCommerce plugin (versions up to 1.3.0) by exploiting a missing capability check in the 'get_ticket_content_callback' function, exposing sensitive customer data and private communications without authentication. The vulnerability requires only a valid ticket ID and network access, with no active public exploitation confirmed at time of analysis, but the low attack complexity and unauthenticated nature make it practically exploitable against any WordPress site running the affected plugin.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-6929 HIGH This Week

Time-based blind SQL injection in JoomSport WordPress plugin (all versions ≤5.7.7) enables unauthenticated remote attackers to extract sensitive database contents including credentials, user data, and configuration secrets via the unsanitized 'sortf' parameter. CVSS 7.5 (High) with network attack vector, low complexity, and no authentication required. EPSS data not provided; no CISA KEV listing indicates exploitation not yet confirmed in the wild. Wordfence Threat Intel reported this vulnerability with proof-of-concept code references pointing to specific vulnerable functions in class-jsport-getplayers.php and class-jsport-playerlist.php, enabling straightforward exploitation by security researchers and threat actors alike.

SQLi WordPress
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-9989 MEDIUM This Month

Stored Cross-Site Scripting in Broadstreet plugin for WordPress versions up to 1.53.1 allows authenticated administrators to inject arbitrary JavaScript into admin settings that executes for all users viewing affected pages. The vulnerability requires administrator-level access, high attack complexity due to disabled unfiltered_html or multi-site configuration restrictions, and impacts confidentiality and integrity with limited scope. No active exploitation confirmed at time of analysis.

XSS WordPress
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-7051 MEDIUM This Month

Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress versions up to 8.9.0 allows authenticated attackers to delete any user's published and scheduled social media post records due to missing ownership verification in the deleteUserPublishPost() and deleteUserSchedPost() functions. Attackers can supply arbitrary sequential post IDs to permanently soft-delete other users' B2S post records, disrupting content publishing workflows across multiuser WordPress installations. This vulnerability requires valid WordPress user authentication but no elevated privileges.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-6828 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in Fluent Forms WordPress plugin versions up to 6.2.1 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'permission_message' parameter, which executes when any user views the affected page. The vulnerability stems from insufficient input sanitization and output escaping in the Component module. No active exploitation or public proof-of-concept has been reported, but the low attack complexity and network accessibility make this a practical risk for WordPress sites with contributor-level user accounts.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-9987 MEDIUM This Month

The Broadstreet WordPress plugin versions up to 1.53.1 exposes sensitive business information through an unauthenticated AJAX endpoint (get_sponsored_meta), allowing attackers to extract password-protected and private business details. Despite the CVSS vector indicating PR:N, the vulnerability requires subscriber-level or higher WordPress access, making authenticated users the primary attack vector. The exposure is limited to confidentiality impact with no integrity or availability compromise.

Information Disclosure WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-6962 MEDIUM This Month

Stored cross-site scripting in Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin (all versions up to 4.1.0) allows authenticated attackers with contributor-level access to inject arbitrary JavaScript via unsanitized shortcode attributes 'alg_wc_cog_product_cost' and 'alg_wc_cog_product_profit', which executes in the browsers of all users viewing the affected pages. The vulnerability requires prior account access but no user interaction for execution, making it a persistent attack vector for privilege escalation or malicious content injection on WordPress sites.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-7619 MEDIUM This Month

SQL injection in Charitable - Donation Plugin for WordPress versions up to 1.8.10.4 allows authenticated users with donation management admin privileges to inject malicious SQL via the 's' search parameter, enabling extraction of sensitive database information. The vulnerability stems from insufficient escaping and lack of prepared statement usage in the donation search functionality. Attack requires administrator-level access to the donation management area (edit_others_donations capability), limiting scope to internal threats but carrying high confidentiality impact.

SQLi WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7635 HIGH This Week

PHP Object Injection vulnerability in coreActivity activity logging plugin through version 3.0 allows remote attackers to trigger persistent Denial of Service blocking administrator access to log pages. Unauthenticated attackers inject crafted PHP serialized payloads via User-Agent headers during any logged event (e.g., failed login). When administrators view the Logs page, the plugin deserializes untrusted data and passes it to DeviceDetector::setUserAgent(), causing Fatal TypeError. Vendor-released patch version 3.1 available (released May 6, 2026). EPSS exploitation probability not available; no CISA KEV listing at time of analysis. CVSS 8.1 reflects high complexity attack requiring precise payload crafting despite no authentication requirement.

Denial Of Service PHP WordPress Deserialization
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-9988 MEDIUM This Month

Broadstreet WordPress plugin up to version 1.53.1 allows authenticated attackers with Subscriber-level access to create advertisers via missing capability checks on the create_advertiser AJAX action, enabling privilege escalation and unauthorized modification of advertising data.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14755 MEDIUM This Month

Unauthenticated attackers can manipulate product prices in WooCommerce carts via an unprotected AJAX action in the Cost Calculator Builder plugin for WordPress (versions up to 4.0.1) when used with Cost Calculator Builder PRO. The vulnerability stems from the ccb_woocommerce_payment AJAX endpoint being registered without authentication requirements (wp_ajax_nopriv) and failing to validate user input before passing it to checkout initialization, allowing price modification without authorization. This is an Insecure Direct Object Reference (IDOR) flaw with moderate CVSS score (5.3) that enables integrity violations but not confidentiality breaches or availability impact.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-15463 MEDIUM This Month

The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Code Injection WordPress RCE Advanced Custom Fields
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-1250 HIGH This Week

The Court Reservation - Manage Your Court Bookings Online plugin for WordPress is vulnerable to generic SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.10.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

SQLi WordPress
NVD
CVSS 3.1
7.5
EPSS
0.1%
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated arbitrary file upload in the Piotnet Addons for Elementor Pro WordPress plugin (versions through 7.1.70) allows remote attackers to upload dangerous file types and potentially achieve remote code execution. The flaw stems from an incomplete extension blacklist in the 'pafe_ajax_form_builder' AJAX handler that fails to block executable wrappers such as .phar and .phtml. No public exploit identified at time of analysis, but the CVSS 9.8 score and unauthenticated network attack vector make this a high-priority issue for any WordPress site running the plugin with a file-upload form field.

File Upload WordPress RCE +1
NVD
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API and retrieve sensitive customer information, like past orders, PII, etc.

WordPress Information Disclosure
NVD WPScan VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

WordPress XSS
NVD WPScan VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks.

WordPress Path Traversal
NVD WPScan
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks.

WordPress SQLi
NVD WPScan
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.

WordPress XSS
NVD WPScan
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.

Authentication Bypass WordPress
NVD WPScan
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the upload.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP Authentication Bypass +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

WordPress Plugin WP with Spritz 1.0 contains a remote file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting file paths into the url parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD Exploit-DB VulDB
EPSS 1% CVSS 8.7
HIGH POC This Week

Google Drive for WordPress 2.2 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by injecting directory traversal sequences in the file_name. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP WordPress +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

Woocommerce CSV Importer 3.3.6 contains a path traversal vulnerability that allows any registered user to delete arbitrary files by submitting unescaped filenames through the delete_export_file AJAX. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP WordPress
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

Simple Fields 0.2 through 0.3.5 WordPress Plugin contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting null bytes into the. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress RCE LFI +2
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated attackers can escalate privileges to Administrator in AI Engine WordPress plugin version 3.4.9 through improper authorization in the MCP OAuth bearer-token implementation. The plugin accepts any valid OAuth token for Model Context Protocol (MCP) access without verifying administrator privileges, allowing low-privileged users (Subscriber+) to execute admin-level MCP tools. No public exploit or active exploitation identified at time of analysis.

WordPress Privilege Escalation
NVD VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.7
HIGH POC This Week

WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal PHP
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

Cookie Law Bar 1.2.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unsanitized input to the Bar Message field. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Information Disclosure
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in Multicollab WordPress plugin allows authenticated attackers with Subscriber-level privileges to inject comments into arbitrary editorial collaborations. This affects all versions up to and including 5.2. While CVSS rates this 4.3 (Low), the ability for low-privileged users to pollute editorial workflows could enable social engineering, misinformation injection into content review processes, or disruption of collaborative editing. EPSS data not provided. No active exploitation confirmed (not in CISA KEV). Patch available in version 3519252 per WordPress plugin repository changeset.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in Essential Chat Support plugin for WordPress versions ≤1.0.1 allows unauthenticated remote attackers to reset all plugin configuration settings to defaults via a single POST request. The vulnerability stems from missing authorization checks in the settings reset function, enabling tampering with general settings, display rules, custom CSS, and WooCommerce integration without credentials. CVSS 5.3 indicates medium severity with network-accessible exploitation requiring no privileges or user interaction. No public exploit identified at time of analysis, though the attack is trivial given the simple POST parameter requirement.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

WordPress Plugin WP Super Edit 2.5.4 and earlier contains an unrestricted file upload vulnerability in the FCKeditor component that allows attackers to upload dangerous file types without validation. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE WordPress
NVD Exploit-DB
EPSS 0% CVSS 8.7
HIGH POC This Week

WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries with duplicated. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service WordPress
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authenticated attackers with subscriber-level access can add arbitrary notes to any order in the Classified Listing - AI-Powered Classified ads & Business Directory Plugin (all versions up to 5.3.10) due to missing authorization checks, triggering unsolicited notification and moderation emails to listing owners. The plugin fails to verify user permissions before allowing note creation, enabling privilege escalation within WordPress installations where subscriber accounts exist. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

The Notify Odoo WordPress plugin up to version 1.0.1 contains a Cross-Site Request Forgery (CSRF) vulnerability in the _updateSettings function that allows unauthenticated attackers to modify critical plugin configuration-including the Notify Odoo URL, notification settings, tracking image configuration, and allowed IP addresses-by tricking site administrators into clicking a malicious link. The vulnerability requires user interaction (administrator action) but poses a direct integrity risk by enabling attackers to redirect plugin functionality to attacker-controlled servers or disable legitimate notification and tracking features.

CSRF WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Advanced Custom Fields: Font Awesome plugin for WordPress up to version 5.0.2 allows authenticated attackers with Subscriber-level access to inject arbitrary JavaScript via insufficiently validated JSON field values in the update_preview() function, resulting in script execution whenever any user visits an affected page. The vulnerability requires user interaction only in the sense that a victim must visit a page containing injected content; the attacker needs only Subscriber-level authentication to craft the malicious payload.

XSS WordPress Advanced Custom Fields
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Remote unauthenticated attackers can exploit a path traversal vulnerability in Quick Playground plugin for WordPress (versions ≤1.3.3) to exfiltrate sensitive server files including wp-config.php credentials. The flaw in the qckply_zip_theme() function allows arbitrary filesystem traversal via an unsanitized 'stylesheet' parameter, triggering creation of downloadable ZIP archives containing any server-accessible files. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicating trivial remote exploitation requiring no authentication, this represents an immediate confidentiality risk for all sites running affected versions, though no CISA KEV listing or public exploit code has been identified at time of analysis.

WordPress Path Traversal
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated attackers can modify Smartcat API credentials in the Smartcat Translator for WPML plugin through a missing capability check on the 'routeData' REST endpoint, allowing hijacking of translation services or denial of service. All versions through 3.1.77 are affected. The vulnerability requires only network access and no user interaction, making it remotely exploitable by any unauthenticated actor against default WordPress configurations running the vulnerable plugin.

Authentication Bypass Denial Of Service WordPress
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

Time-based blind SQL injection in NEX-Forms Ultimate Forms Plugin for WordPress through version 9.1.12 allows authenticated administrators to extract sensitive database information by injecting arbitrary SQL queries via the insufficiently escaped 'table' parameter. The vulnerability requires administrator-level access and is not actively exploited in public records, but poses significant risk to multi-admin WordPress installations where admin accounts may be compromised or untrusted.

SQLi WordPress
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in Form Notify WordPress plugin versions ≤1.1.10 allows remote unauthenticated attackers to gain administrator access through LINE OAuth flow manipulation. Attackers exploit the plugin's trust of the 'form_notify_line_email' cookie when LINE OAuth doesn't return an email address, authenticating as any site user by injecting a cookie containing the victim's email while completing OAuth with their own LINE account. Wordfence reported this vulnerability with proof-of-concept code available via GitHub commit diffs. EPSS data not available, but the CVSS 9.8 score and network vector with no authentication requirement indicate critical severity. No CISA KEV listing at time of analysis.

Authentication Bypass WordPress
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in Frontend Admin by DynamiApps plugin allows authenticated attackers with editor-level access to elevate privileges to administrator. The vulnerability exists due to insufficient authorization checks when configuring user role options in edit_user forms combined with overly permissive capabilities on the admin_form post type. Attackers can bypass UI restrictions by directly manipulating POST data to include 'administrator' in role_options, then use the crafted form to assign themselves administrator privileges. CVSS 8.8 reflects network-accessible, low-complexity exploitation requiring only low privileges (editor account). No public exploit code identified at time of analysis, though the attack chain is straightforward for authenticated users. EPSS data not provided, but the technical barrier is minimal once editor access is obtained.

Privilege Escalation PHP WordPress
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Authenticated attackers with Contributor-level access can delete entire multi-currency configurations in FOX Currency Switcher Professional for WooCommerce by visiting any wp-admin page with a specific parameter, and the lack of nonce verification allows CSRF-based exploitation against administrators. Confirmed actively exploited (CISA KEV). CVSS 8.1 reflects high integrity and availability impact, with EPSS data unavailable. WordPress plugin affects versions ≤1.4.5, with patch released in version 1.4.6 per Wordfence advisory. The dual attack vectors (direct authenticated abuse and CSRF) significantly increase real-world risk for WooCommerce installations using this currency management plugin.

Authentication Bypass CSRF WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting (XSS) in The7 WordPress theme versions up to 14.3.2 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'title' parameter of the 'dt_default_button' shortcode. The injected scripts execute in the context of any user who views the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code has been identified at time of analysis.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can export complete database tables from WordPress Multisite installations running Database Backup for WordPress plugin ≤2.5.2, exposing credentials, user data, and site content. The vulnerability stems from improper enforcement of authorization check return values, bypassing security controls. Exploitation is limited to legacy WordPress Multisite environments using the deprecated is_site_admin() function. CVSS 7.5 (High) with network attack vector and no authentication required. No CISA KEV listing indicates limited widespread exploitation, though the unauthenticated remote access vector presents significant risk for affected configurations.

Authentication Bypass Information Disclosure WordPress
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Arbitrary file read and deletion in Database Backup for WordPress (versions ≤2.5.2) allows unauthenticated attackers on WordPress Multisite installations to access sensitive files and potentially achieve site takeover. The vulnerability stems from improper authorization enforcement combined with user-controlled backup directory parameters, exploitable only in Multisite environments using the deprecated is_site_admin() function. CVSS 8.1 with high attack complexity (AC:H) reflects the Multisite-only prerequisite. No CISA KEV listing indicates limited observed exploitation despite the critical authorization bypass nature.

Authentication Bypass Information Disclosure WordPress
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Authorization bypass in Database Backup for WordPress plugin (≤2.5.2) enables unauthenticated attackers to redirect scheduled backup files to publicly accessible directories and retrieve them before cleanup. By poisoning the wp_db_temp_dir parameter via wp-cron.php, attackers can intercept database backups containing credentials, password hashes, and PII. Backup filenames follow predictable patterns (database name, table prefix, date, Swatch Internet Time), making interception reliable. Exploitation requires administrator-configured scheduled backups but no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N). EPSS and KEV data not provided; Wordfence-reported vulnerability with publicly accessible source code references enabling attack reproduction.

Authentication Bypass PHP Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Server-Side Request Forgery (SSRF) in InfusedWoo Pro plugin for WordPress versions up to 5.1.2 allows unauthenticated remote attackers to exploit the popup_submit function to read arbitrary files from the server and make unauthorized web requests to internal network resources. This vulnerability enables reconnaissance and potential access to internal services that should not be externally accessible, including cloud metadata endpoints, internal APIs, and localhost services. CVSS 7.5 (High) reflects network-accessible attack with no authentication required and high confidentiality impact. EPSS data not available; no active exploitation confirmed via CISA KEV at time of analysis.

SSRF WordPress
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Unauthenticated attackers can permanently delete arbitrary WordPress content (posts, pages, WooCommerce products/orders) and manipulate post statuses in InfusedWoo Pro plugin versions up to 5.1.2 due to missing authorization checks. The CVSS 9.1 (Critical) score reflects network-accessible attack with no complexity barriers, though the Availability impact rating (A:N) appears inconsistent with the ability to mass-delete content. EPSS data unavailable; no CISA KEV listing or public exploit confirmed at time of analysis, but the WordPress ecosystem's large attack surface and clear Wordfence advisory make this a priority patching target for WooCommerce sites.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Royal Elementor Addons and Templates plugin for WordPress up to version 1.7.1058 allows authenticated attackers with Contributor-level privileges to inject arbitrary JavaScript via the 'title_tag' parameter in multiple widgets, with execution occurring when any user accesses the affected page. The vulnerability stems from insufficient input sanitization and output escaping on user-controlled parameters.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

MW WP Form plugin for WordPress allows unauthenticated attackers to extract data from password-protected, private, and draft posts via the _get_post_property_from_querystring() function due to insufficient access control checks on post retrieval. The vulnerability affects all versions up to 5.1.2 and requires only network access with no user interaction, enabling confidential content disclosure to unauthorized users.

Authentication Bypass Information Disclosure WordPress
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in CC Child Pages WordPress plugin up to version 2.1.1 allows authenticated attackers with Contributor-level access and above to inject arbitrary JavaScript via the 'more' parameter, which executes in the browsers of users viewing the compromised pages. CVSS 6.4 reflects the authentication gate but cross-site scope (C:L/I:L/S:C). No public exploit code or active exploitation confirmed at time of analysis.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

The User Registration & Membership WordPress plugin through version 5.1.5 allows unauthenticated attackers to bypass admin approval requirements and register accounts directly by sending a crafted request with action=createuser parameter, exploiting missing authorization checks in the account creation process. The vulnerability affects all installations of the plugin with default or custom configurations where the admin approval feature is enabled. CVSS 5.3 reflects limited confidentiality impact but integrity compromise through unauthorized account creation.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Path traversal in the Media Sync WordPress plugin (versions ≤1.4.9) enables authenticated attackers with Author-level access or above to read arbitrary files outside the intended uploads directory by injecting traversal sequences into the 'sub_dir' and 'media_items' parameters. The CVSS vector (C:H/I:N/A:N) confirms the impact is limited to confidentiality - file read only, with no write or deletion capability indicated. No public exploit has been identified at time of analysis, and CISA SSVC rates current exploitation as none with partial technical impact, consistent with the low EPSS probability of 0.45%.

Path Traversal WordPress Media Sync
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Meta Field Block WordPress plugin (versions ≤1.5.2) allows authenticated contributors to inject persistent malicious scripts via the unsanitized 'tagName' block attribute. Any user who subsequently visits a page containing the injected block will execute the attacker's arbitrary JavaScript in their browser context. A vendor-released patch (1.5.3) is available; no public exploit has been identified and EPSS and SSVC signals both indicate low exploitation probability at this time.

XSS WordPress Meta Field Block Display Custom Fields In The Block Editor Without Coding
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the ManageWP Worker WordPress plugin (versions ≤ 4.9.31) allows unauthenticated remote attackers to inject arbitrary JavaScript via a crafted 'MWP-Key-Name' HTTP request header, which executes when an administrator later visits the plugin's connection management page with debug parameters. No public exploit identified at time of analysis, and the EPSS score is very low (0.07%, 22nd percentile), but the unauthenticated network attack vector and changed scope (S:C) keep this relevant for any site using the plugin.

XSS WordPress Managewp Worker
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Bold Page Builder WordPress plugin (versions up to and including 5.6.8) allows authenticated attackers holding contributor-level access or higher to inject persistent malicious JavaScript via the 'text' attribute of the bt_bb_button shortcode. The script executes in the browser of any user who subsequently loads the compromised page, including administrators, enabling session hijacking or unauthorized action execution under victim identity. No active exploitation is confirmed - the vulnerability is absent from CISA KEV, carries an EPSS score of 0.03% (8th percentile), and SSVC designates exploitation status as none.

XSS WordPress Bold Page Builder
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Insecure Direct Object Reference in the WordPress Fluent Forms plugin (versions through 6.2.0) allows authenticated users with Fluent Forms manager-level privileges to bypass form-level access controls via the exportEntries function. Attackers can exfiltrate submissions from forms they should not access, export data from arbitrary database tables, and enumerate table names through error message disclosure. No public exploit identified at time of analysis, and EPSS probability is very low (0.03%) despite the high CVSS score.

Authentication Bypass WordPress Fluent Forms Customizable Contact Forms Survey Quiz Conversational Form Builder
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the LatePoint WordPress booking plugin (all versions ≤ 5.3.2) allows unauthenticated attackers to cancel a logged-in customer's appointments without consent by delivering a forged HTTP request. The root cause is missing nonce verification in the request_cancellation() function within the customer cabinet controller. EPSS is negligible at 0.02% (7th percentile), SSVC classifies exploitation as none, and no public exploit code or active exploitation has been identified at time of analysis.

CSRF WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the InfusedWoo Pro WordPress plugin (versions through 5.1.2) allows authenticated subscriber-level users to elevate themselves to Administrator by abusing the unprotected infusedwoo_gdpr_upddata() function to overwrite their wp_capabilities user meta. No public exploit identified at time of analysis, EPSS is very low (0.04%), and the issue is not listed in CISA KEV, but the technical impact is total once the simple authentication prerequisite is met.

Authentication Bypass Privilege Escalation WordPress +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Time-based blind SQL injection in the Taskbuilder - Project Management & Task Management Tool With Kanban Board WordPress plugin (all versions through 5.0.6) enables authenticated attackers with Subscriber-level access or above to exfiltrate arbitrary data from the underlying database via the 'project_search' parameter. The vulnerability stems from unsanitized user input being passed into an unprepared SQL query, exposing confidential database contents including user credentials, configuration data, and application records. No public exploit code has been identified at time of analysis, EPSS probability is very low at 0.03%, and CISA has not added this to the Known Exploited Vulnerabilities catalog.

SQLi WordPress Taskbuilder Project Management Task Management Tool With Kanban Board
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Arbitrary file deletion in the Motors - Car Dealership & Classified Listings Plugin for WordPress (versions up to and including 1.4.107) allows authenticated users with subscriber-level access or higher to delete arbitrary files on the server by supplying a malicious filesystem path through the become-dealer logo upload flow. The flaw was reported by Wordfence and carries a CVSS of 8.1, but EPSS remains very low (0.05%) and CISA SSVC reports no observed exploitation, indicating risk is theoretical rather than active. No public exploit identified at time of analysis.

Information Disclosure WordPress Motors Car Dealership Classified Listings Plugin
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Privilege escalation in Essential Addons for Elementor (all versions ≤ 6.5.13) allows authenticated WordPress users with Author-level access or above to create new accounts with elevated roles such as Editor by exploiting the plugin's `register_user` function, which applies an incomplete role denylist that blocks only 'administrator' while leaving other privileged roles unguarded. The network-accessible, low-complexity attack vector (AV:N/AC:L/PR:L) makes this realistic for any site with the plugin's registration widget exposed and populated with low-trust authors. No public exploit has been identified at time of analysis and CISA KEV status is absent, but the plugin's broad WordPress deployment increases aggregate exposure.

Privilege Escalation WordPress Essential Addons For Elementor Popular Elementor Templates Widgets +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass and privilege escalation in the InfusedWoo Pro WordPress plugin (versions through 5.1.2) lets unauthenticated remote attackers seize administrator accounts by abusing the iwar_save_recipe() AJAX handler. Because the endpoint lacks nonce verification and capability checks, attackers can plant a malicious automation recipe that chains an HTTP post trigger with an auto-login action, so visiting a crafted URL returns valid authentication cookies for any chosen user. Reported by Wordfence with a CVSS of 9.8; no public exploit identified at time of analysis, and EPSS sits at 0.19% (40th percentile) despite the SSVC assessment of total technical impact and automatable exploitation.

Authentication Bypass Privilege Escalation WordPress +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated arbitrary file upload in the Career Section WordPress plugin (versions through 1.7) enables remote code execution by abusing the CV upload handler, which lacks file type validation. Any attacker who can reach the upload endpoint can drop executable PHP files and gain code execution on the underlying WordPress host. No public exploit identified at time of analysis, but the CVSS 9.8 rating combined with SSVC 'automatable: yes' indicates this is a strong candidate for opportunistic mass exploitation once tooling appears.

File Upload WordPress RCE +1
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Authentication bypass in the Burst Statistics WordPress plugin versions 3.4.0 through 3.4.1.1 allows unauthenticated remote attackers to impersonate any administrator whose username they know by supplying an arbitrary Basic Authentication password. The flaw resides in flawed return-value handling within the `is_mainwp_authenticated()` function used to validate application passwords from the Authorization header, enabling privilege escalation per request. No public exploit identified at time of analysis, and EPSS is low (0.26%), but the CVSS 9.8 score and SSVC 'total' technical impact mark it as a high-severity authentication bypass worth prioritizing.

Authentication Bypass Google Privilege Escalation +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the GLS Shipping for WooCommerce WordPress plugin (all versions through 1.4.0) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'failed_orders' parameter, executing in victims' browsers when they interact with a crafted link. The CVSS vector (PR:N, S:C) confirms no authentication is needed by the attacker, though user interaction is required, and the Changed scope rating means successful exploitation can affect resources beyond the plugin's own context - such as session tokens or other page content. No active exploitation is identified at time of analysis; EPSS stands at 0.06% (17th percentile) and CISA SSVC assigns exploitation status of 'none', making this a theoretical rather than emergent threat.

XSS WordPress
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Authorization bypass in the Fluent Forms WordPress plugin (versions ≤6.1.21) allows authenticated Fluent Forms Managers to read, modify, annotate, and delete submissions belonging to forms outside their assigned scope by tampering with a user-controlled form_id query parameter. The flaw stems from the SubmissionPolicy class trusting client-supplied input for authorization decisions, granting cross-form access despite role restrictions. No public exploit identified at time of analysis, and EPSS exploitation probability remains low at 0.03%.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in The Plus Addons for Elementor WordPress plugin (all versions through 6.4.11) allows authenticated contributors to persistently inject arbitrary JavaScript via the `menu_hover_click` parameter of the Navigation Menu Lite widget. The CVSS scope change (S:C) confirms the payload executes in visiting users' browser contexts rather than the attacker's, enabling session hijacking, credential harvesting, or admin account takeover against any user who loads an affected page. EPSS is very low at 0.03% (8th percentile) and SSVC confirms no known exploitation, but the low privilege bar - contributor access, which is routinely granted on multi-author WordPress sites - elevates practical risk above what the medium CVSS score alone suggests.

XSS WordPress
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Missing authorization controls in the WP Encryption WordPress plugin (all versions through 7.8.5.10) allow any authenticated subscriber-level user to invoke the `wple_basic_get_requests` function and tamper with SSL lifecycle configuration - resetting SSL setup state, falsely marking SSL as complete, and altering plan selection options. The affected plugin automates Let's Encrypt certificate provisioning for WordPress sites, meaning successful exploitation can silently break or misrepresent a site's HTTPS posture. No public exploit code exists and no active exploitation is confirmed (not in CISA KEV); EPSS at 0.02% and SSVC exploitation rating of 'none' place this firmly in the low-urgency tier despite the low privilege bar.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the MapGeo - Interactive Geo Maps WordPress plugin (all versions through 1.6.27) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'map' parameter of the display-map shortcode. Exploitation requires tricking an authenticated or anonymous site visitor into clicking a crafted URL, after which the injected script executes in the victim's browser within the plugin's page scope. No public exploit code or CISA KEV listing exists at time of analysis; EPSS probability is 0.06%, placing this in the 19th percentile of exploitation likelihood.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Envira Gallery Lite (WordPress plugin, versions ≤ 1.12.4) enables authenticated attackers with Author-level access to inject persistent arbitrary JavaScript into gallery pages via the REST API. The attack exploits a context mismatch: the `arrows` gallery parameter is omitted from `sanitize_config_values()` sanitization, and `gallery_init()` escapes it with `esc_attr()` — a function designed for HTML attribute contexts, not inline JavaScript — allowing JavaScript expression injection that executes in any visitor's browser. No public exploit or active exploitation has been identified; EPSS is 0.01% and CISA KEV status is absent, placing this firmly in the low-immediate-risk tier despite its persistent, cross-user impact.

XSS WordPress Envira Gallery Image Photo Gallery Albums Video Gallery Slideshows More
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Payment bypass in LearnPress WordPress LMS Plugin (all versions ≤ 4.3.5) allows authenticated subscribers to enroll in any paid course at zero cost by manipulating a REST API parameter. The flaw stems from improper input handling in the add_to_cart() REST API endpoint where PHP's array_merge() permits attacker-supplied values to silently overwrite hardcoded order defaults - specifically the quantity field - causing the order total to resolve to $0 and bypassing all configured payment gateway enforcement. No public exploit code has been identified at time of analysis, and CISA KEV does not list this vulnerability; SSVC and EPSS both signal low current exploitation pressure, though the low-friction exploit path warrants prompt remediation on revenue-generating LMS deployments.

Authentication Bypass WordPress Learnpress Wordpress Lms Plugin For Create And Sell Online Courses
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.9) allows authenticated attackers with custom-level access or higher to circumvent the moderation and approval workflow by directly manipulating the POST body. The plugin's server-side PHP code in my-calendar-event-editor.php accepted the client-supplied event_approved parameter and used it to override the server-calculated event status, despite UI-level restrictions ostensibly limiting low-privilege users to draft-only submissions. Exploitation enables unauthorized event publishing, cancellation, or marking events private - integrity impacts limited to the event management workflow. No public exploit identified at time of analysis; EPSS (0.02%, 4th percentile) and SSVC (exploitation: none) both indicate negligible current exploitation interest.

Authentication Bypass WordPress My Calendar Accessible Event Manager
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection in the Unlimited Elements for Elementor WordPress plugin (versions up to and including 2.0.7) allows authenticated attackers holding at least Contributor-level access to extract sensitive database contents by injecting arbitrary SQL into the 'data[filter_search]' parameter of the get_cat_addons AJAX action. The vulnerability is the product of two chained weaknesses: the plugin's normalizeAjaxInputData() function actively undoes WordPress's built-in magic-quote protection via stripslashes(), and the deprecated wpdb->_escape() method then fails to safely handle the exposed input before it is concatenated directly into a LIKE clause. Reported by Wordfence and tracked as EUVD-2026-30214, no public exploit code has been identified at time of analysis and CISA KEV does not list this CVE, though the confidentiality impact is rated High, enabling full database read access for a successful attacker.

SQLi WordPress Unlimited Elements For Elementor +1
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM POC This Month

WOOF Products Filter for WooCommerce 1.2.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering XSS payloads in design. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress
NVD Exploit-DB
EPSS 0% CVSS 6.8
MEDIUM POC This Month

WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress +1
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH This Week

Authenticated subscribers can bypass authorization gates and forcibly join any ProfileGrid group - including closed, paid, or restricted groups - through a missing capability check in the pm_invite_user function. Affects all ProfileGrid plugin versions up to 5.9.8.4. The vulnerability enables low-privilege users to circumvent membership restrictions and payment requirements, potentially exposing premium content and private community spaces. EPSS data not provided; no CISA KEV listing identified, indicating no confirmed widespread exploitation at time of analysis. CVSS 7.1 reflects high integrity impact due to authorization bypass capabilities.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authentication bypass in ProfileGrid - User Profiles, Groups and Communities WordPress plugin up to version 5.9.8.4 allows authenticated Subscriber-level users to modify site-wide group settings through unprotected AJAX actions (pm_set_group_order, pm_set_group_items, pm_set_field_order). Attackers can alter group menu order, list order, icon display, and field ordering without authorization checks. No public exploit code or active exploitation has been identified; CVSS 4.3 (low-moderate severity) reflects limited impact scope to integrity without confidentiality or availability impact.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

ProfileGrid User Profiles plugin for WordPress versions up to 5.9.8.4 allow authenticated attackers with Subscriber-level access to execute blind SQL injection attacks via the 'rid' parameter due to insufficient input escaping and lack of prepared statement use. The vulnerability enables extraction of sensitive database information without user interaction. No public exploit code or active exploitation has been confirmed at this time.

SQLi WordPress
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in Custom Twitter Feeds plugin for WordPress versions ≤2.5.4 allows unauthenticated remote attackers to execute arbitrary JavaScript when malicious content enters cached tweet data. The vulnerability stems from the ctf_get_more_posts AJAX endpoint outputting cached tweet text through nl2br() without HTML escaping, accessible without authentication (CVSS:3.1/AV:N/AC:L/PR:N/UI:N). Attack requires either posting malicious tweets that the target site caches via its feed configuration, or leveraging other vulnerabilities to poison the tweet cache. No active exploitation confirmed at time of analysis. Wordfence identified the flaw with patch available in changeset 3519584.

XSS WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

RTMKit Addons for Elementor plugin for WordPress allows authenticated attackers with Author-level access or higher to modify or reset site-wide widget configurations due to missing capability checks in the save_widget() and reset_all_widgets() functions. This privilege escalation vulnerability affects all versions up to 2.0.2 and enables unauthorized modification of widget data across the entire WordPress site, impacting site integrity and user experience.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Local File Inclusion vulnerability in RTMKit Addons for Elementor plugin versions up to 2.0.2 allows authenticated attackers with Author-level privileges to include and execute arbitrary PHP files via the 'path' parameter in the 'get_content' AJAX action, enabling remote code execution. The vulnerability requires low-privilege WordPress account access (Author role or higher) and has a CVSS score of 8.8, indicating high impact across confidentiality, integrity, and availability. EPSS data not available, but exploitation requires specific WordPress role assignment, limiting attack surface to sites where untrusted users have Author-level access. No active exploitation confirmed by CISA KEV at time of analysis.

PHP LFI RCE +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Arbitrary file read in Avada Builder plugin for WordPress versions up to 3.15.2 allows authenticated attackers with Subscriber-level access to read arbitrary files on the server via the 'fusion_get_svg_from_file' function in the 'fusion_section_separator' shortcode. Sensitive information including configuration files, database credentials, and private keys can be exposed. The vulnerability was partially patched in 3.15.2 and fully patched in version 3.15.3.

RCE WordPress
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Time-based SQL injection in Avada Builder for WordPress allows remote unauthenticated attackers to extract sensitive database information via the 'product_order' parameter. CVSS 7.5 (High) reflects network-accessible attack vector with no authentication required, but exploitation is limited to specific deployments where WooCommerce was previously installed then deactivated. No active exploitation confirmed (not in CISA KEV), but vulnerability disclosed by Wordfence Threat Intelligence with technical details publicly available.

SQLi WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Authenticated attackers with Subscriber-level access can modify the API key stored in the Hostinger Reach WordPress plugin (versions up to 1.3.8) due to missing capability checks in the AJAX handler, but only when the plugin is not yet connected to a site and the database contains no existing API key. The vulnerability allows unauthorized data modification via the 'hostinger_reach_connection_notice_action' action with CVSS 5.3 (network-accessible, high integrity impact, but requiring low-privilege authentication and non-standard conditions).

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Snow Monkey Blocks WordPress plugin up to version 24.1.11 allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript via the 'data-slick' attribute, which executes in the browsers of all users who view the affected pages. The vulnerability stems from insufficient input sanitization and output escaping in block rendering functionality. CVSS 6.4 reflects the moderate severity; exploitation requires prior authentication and contributor access, limiting the attack surface to trusted WordPress users or accounts obtained through compromise.

XSS WordPress
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Stored Cross-Site Scripting in WPC Badge Management for WooCommerce plugin versions up to 3.1.6 allows authenticated attackers with Shop Manager-level access to inject arbitrary JavaScript via the 'text' attribute of the wpcbm_best_seller shortcode. The injected scripts execute in the browsers of any user visiting the affected page, enabling credential theft, session hijacking, or defacement. The vulnerability stems from insufficient input sanitization and output escaping in shortcode processing.

XSS WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Authenticated instructors in Tutor LMS versions up to 3.9.9 can manipulate course ownership logic via an attacker-controlled GET parameter to perform unauthorized operations on other instructors' courses, including deleting lessons, quizzes, assignments, and student data, or modifying course content and grades. The vulnerability stems from the `get_course_id_by()` function unconditionally trusting user-supplied input instead of validating course ownership, bypassing the plugin's primary authorization gate. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can retrieve any support ticket content from the ilGhera Support System for WooCommerce plugin (versions up to 1.3.0) by exploiting a missing capability check in the 'get_ticket_content_callback' function, exposing sensitive customer data and private communications without authentication. The vulnerability requires only a valid ticket ID and network access, with no active public exploitation confirmed at time of analysis, but the low attack complexity and unauthenticated nature make it practically exploitable against any WordPress site running the affected plugin.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Time-based blind SQL injection in JoomSport WordPress plugin (all versions ≤5.7.7) enables unauthenticated remote attackers to extract sensitive database contents including credentials, user data, and configuration secrets via the unsanitized 'sortf' parameter. CVSS 7.5 (High) with network attack vector, low complexity, and no authentication required. EPSS data not provided; no CISA KEV listing indicates exploitation not yet confirmed in the wild. Wordfence Threat Intel reported this vulnerability with proof-of-concept code references pointing to specific vulnerable functions in class-jsport-getplayers.php and class-jsport-playerlist.php, enabling straightforward exploitation by security researchers and threat actors alike.

SQLi WordPress
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in Broadstreet plugin for WordPress versions up to 1.53.1 allows authenticated administrators to inject arbitrary JavaScript into admin settings that executes for all users viewing affected pages. The vulnerability requires administrator-level access, high attack complexity due to disabled unfiltered_html or multi-site configuration restrictions, and impacts confidentiality and integrity with limited scope. No active exploitation confirmed at time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress versions up to 8.9.0 allows authenticated attackers to delete any user's published and scheduled social media post records due to missing ownership verification in the deleteUserPublishPost() and deleteUserSchedPost() functions. Attackers can supply arbitrary sequential post IDs to permanently soft-delete other users' B2S post records, disrupting content publishing workflows across multiuser WordPress installations. This vulnerability requires valid WordPress user authentication but no elevated privileges.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting (XSS) in Fluent Forms WordPress plugin versions up to 6.2.1 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'permission_message' parameter, which executes when any user views the affected page. The vulnerability stems from insufficient input sanitization and output escaping in the Component module. No active exploitation or public proof-of-concept has been reported, but the low attack complexity and network accessibility make this a practical risk for WordPress sites with contributor-level user accounts.

XSS WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Broadstreet WordPress plugin versions up to 1.53.1 exposes sensitive business information through an unauthenticated AJAX endpoint (get_sponsored_meta), allowing attackers to extract password-protected and private business details. Despite the CVSS vector indicating PR:N, the vulnerability requires subscriber-level or higher WordPress access, making authenticated users the primary attack vector. The exposure is limited to confidentiality impact with no integrity or availability compromise.

Information Disclosure WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin (all versions up to 4.1.0) allows authenticated attackers with contributor-level access to inject arbitrary JavaScript via unsanitized shortcode attributes 'alg_wc_cog_product_cost' and 'alg_wc_cog_product_profit', which executes in the browsers of all users viewing the affected pages. The vulnerability requires prior account access but no user interaction for execution, making it a persistent attack vector for privilege escalation or malicious content injection on WordPress sites.

XSS WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in Charitable - Donation Plugin for WordPress versions up to 1.8.10.4 allows authenticated users with donation management admin privileges to inject malicious SQL via the 's' search parameter, enabling extraction of sensitive database information. The vulnerability stems from insufficient escaping and lack of prepared statement usage in the donation search functionality. Attack requires administrator-level access to the donation management area (edit_others_donations capability), limiting scope to internal threats but carrying high confidentiality impact.

SQLi WordPress
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Object Injection vulnerability in coreActivity activity logging plugin through version 3.0 allows remote attackers to trigger persistent Denial of Service blocking administrator access to log pages. Unauthenticated attackers inject crafted PHP serialized payloads via User-Agent headers during any logged event (e.g., failed login). When administrators view the Logs page, the plugin deserializes untrusted data and passes it to DeviceDetector::setUserAgent(), causing Fatal TypeError. Vendor-released patch version 3.1 available (released May 6, 2026). EPSS exploitation probability not available; no CISA KEV listing at time of analysis. CVSS 8.1 reflects high complexity attack requiring precise payload crafting despite no authentication requirement.

Denial Of Service PHP WordPress +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Broadstreet WordPress plugin up to version 1.53.1 allows authenticated attackers with Subscriber-level access to create advertisers via missing capability checks on the create_advertiser AJAX action, enabling privilege escalation and unauthorized modification of advertising data.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can manipulate product prices in WooCommerce carts via an unprotected AJAX action in the Cost Calculator Builder plugin for WordPress (versions up to 4.0.1) when used with Cost Calculator Builder PRO. The vulnerability stems from the ccb_woocommerce_payment AJAX endpoint being registered without authentication requirements (wp_ajax_nopriv) and failing to validate user input before passing it to checkout initialization, allowing price modification without authorization. This is an Insecure Direct Object Reference (IDOR) flaw with moderate CVSS score (5.3) that enables integrity violations but not confidentiality breaches or availability impact.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Code Injection WordPress RCE +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Court Reservation - Manage Your Court Bookings Online plugin for WordPress is vulnerable to generic SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.10.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

SQLi WordPress
NVD
Prev Page 13 of 194 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy