Skip to main content

WordPress

17381 CVEs vendor

Monthly

CVE-2026-3454 MEDIUM This Month

GenerateBlocks plugin for WordPress up to version 2.2.0 fails to verify object-level authorization on the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint, allowing authenticated Contributor-level users to extract sensitive information from arbitrary posts including author email addresses and post meta values through crafted dynamic tag payloads. The vulnerability checks only for edit_posts capability but does not verify access to specific posts, exposing confidential data across the entire site to low-privilege authenticated users.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-4362 MEDIUM This Month

ElementsKit Elementor Addons plugin for WordPress versions up to 3.8.2 allows unauthenticated attackers to overwrite Elementor widget content via a missing capability check in the Live_Action::reset() function. By crafting a URL with specific GET parameters (post and action=elementor), attackers can permanently replace any elementskit_widget custom post type's design, text, and configurations with a blank template, causing data loss without requiring authentication or user interaction.

Authentication Bypass WordPress Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-5159 MEDIUM This Month

Stored Cross-Site Scripting in Royal Addons for Elementor's Instagram Feed widget allows authenticated contributors and above to inject arbitrary JavaScript via the 'instagram_follow_text' setting, which executes in the browsers of all users viewing the affected page. The vulnerability affects all versions up to 1.7.1056 and requires the Instagram Feed widget to be previously configured with a valid access token by an administrator. No public exploit code or active exploitation has been confirmed at this time.

XSS WordPress Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4665 MEDIUM This Month

Stored Cross-Site Scripting in WP Carousel Free plugin for WordPress affects all versions up to 2.7.10, allowing authenticated attackers with Contributor-level access to inject arbitrary JavaScript via malformed carousel container IDs in the fancybox `data-caption` attribute. The vulnerability arises when the fancybox configuration script fails to initialize due to unsanitized DOM selectors, causing the bundled fancybox library v3.5.7 to fall back to unsafe default caption handling that renders HTML directly. This enables script execution in the context of site visitors clicking images in the compromised carousel lightbox. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4803 HIGH This Week

Stored Cross-Site Scripting in Royal Elementor Addons WordPress plugin allows unauthenticated remote attackers to inject malicious scripts that execute in victim browsers. The vulnerability exists in all versions up to 1.7.1056 due to a publicly leaked static nonce that bypasses authentication checks for the wpr_update_form_action_meta AJAX endpoint. Combined with insufficient input sanitization on the 'status' parameter, attackers can inject persistent XSS payloads without authentication. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

XSS WordPress Elementor
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-5957 MEDIUM This Month

EmailKit plugin for WordPress versions up to 1.6.5 allows authenticated attackers with Author-level access to read arbitrary files from the server due to a path traversal vulnerability in the create_template() method. The vulnerability exploits a PHP 8.x type coercion flaw where realpath() returns false for non-existent directories, causing strpos() validation to incorrectly evaluate and bypass directory restrictions. Attackers can retrieve sensitive files such as wp-config.php by submitting absolute paths via the emailkit-editor-template REST API parameter. No public exploit code identified at time of analysis, though the vulnerability mechanism is trivial to weaponize once authentication is obtained.

PHP WordPress Path Traversal
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-2948 MEDIUM This Month

Server-Side Request Forgery in Gutenverse - Ultimate WordPress FSE Blocks Addons & Ecosystem plugin versions up to 3.5.3 allows authenticated contributors and above to initiate arbitrary web requests from the vulnerable server via the import_images() function, enabling query and modification of internal services. The vulnerability is exploitable without user interaction over the network, affecting sites with contributor-level users or higher.

SSRF WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-5294 CRITICAL Act Now

Remote code execution in Geeky Bot WordPress plugin versions ≤1.2.2 allows unauthenticated attackers to install arbitrary plugins and execute code on affected sites. The vulnerability exploits a missing authorization check in a nopriv AJAX handler that permits attacker-controlled function dispatch to a plugin installer, enabling download and extraction of malicious ZIP files directly into wp-content/plugins/. With CVSS 9.8 (critical), network-exploitable without authentication, and EPSS data unavailable, this represents a severe risk to all WordPress sites running vulnerable versions until patched.

Authentication Bypass RCE WordPress
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-3456 HIGH This Week

Unauthenticated SQL injection in GeekyBot WordPress plugin allows remote attackers to extract sensitive database contents via the 'attributekey' parameter. Affects all versions through 1.2.0. The CVSS 7.5 rating reflects network-based exploitation requiring no authentication or user interaction, with high confidentiality impact. Wordfence Threat Intelligence identified this vulnerability, with a patch committed in changeset 3474168. No active exploitation confirmed in CISA KEV at time of analysis, though the trivial attack complexity (AC:L) and unauthenticated vector (PR:N) make this a realistic target for automated scanning and exploitation.

SQLi WordPress
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-1921 MEDIUM This Month

Loco Translate plugin for WordPress versions up to 2.8.2 allows authenticated attackers with Translator-level access to read arbitrary files outside the intended translation directory via path traversal in the `fsReference` AJAX endpoint. The vulnerability exploits insufficient validation of directory traversal sequences (`../`) in the `findSourceFile()` method, enabling disclosure of sensitive `.php`, `.js`, `.json`, and `.twig` files including wp-config.php-adjacent files. No public exploit code has been identified at time of analysis, and the attack requires administrative capability assignment (`loco_admin` capability) granted to translators by default.

PHP WordPress Path Traversal
NVD VulDB
CVSS 3.1
4.9
EPSS
0.2%
CVE-2026-5505 MEDIUM This Month

Stored Cross-Site Scripting in WP-Clippy plugin for WordPress up to version 1.0.0 allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript via the `clippy` shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page. No public exploit code or active exploitation has been identified at the time of analysis.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6255 MEDIUM This Month

Stored cross-site scripting in Simple Owl Shortcodes WordPress plugin versions up to 2.1.1 allows authenticated contributors and above to inject arbitrary JavaScript via the 'num' attribute of the 'owls_wrapper' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6704 MEDIUM This Month

Reflected Cross-Site Scripting in Blog Settings plugin for WordPress versions up to 1.0 allows unauthenticated attackers to inject arbitrary JavaScript via the 'page' parameter due to insufficient input sanitization and output escaping. An attacker must trick a user into clicking a malicious link to execute the injected script in the victim's browser session, potentially compromising WordPress admin credentials or site functionality.

XSS WordPress
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-2868 MEDIUM This Month

Stored Cross-Site Scripting in Gutenverse - Ultimate WordPress FSE Blocks Addons & Ecosystem plugin up to version 3.5.3 allows authenticated attackers with contributor-level access to inject arbitrary JavaScript into pages via the 'separatorIconSVG' parameter, executing malicious scripts whenever users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping. No public exploit code or active exploitation has been identified at the time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6702 MEDIUM This Month

Cross-Site Request Forgery in Publish 2 Ping.fm WordPress plugin up to version 1.1 allows unauthenticated attackers to modify plugin settings and inject malicious scripts by tricking site administrators into clicking a crafted link, exploiting missing nonce validation on the admin settings page. The vulnerability requires user interaction (admin click) and affects the plugin's confidentiality and integrity but not availability. No public exploit code or active exploitation has been confirmed.

PHP CSRF WordPress
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-6700 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in DX Sources plugin for WordPress up to version 2.0.1 allows unauthenticated attackers to modify plugin configuration options by tricking a logged-in administrator into clicking a malicious link. The vulnerability stems from missing nonce validation in the settings_page_build function, enabling attackers to alter plugin settings without administrative consent. No active exploitation has been confirmed at the time of analysis.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-5247 MEDIUM This Month

Stored cross-site scripting (XSS) in PublishPress Future WordPress plugin versions up to 4.10.0 allows authenticated administrators to inject arbitrary JavaScript via the 'wrapper' attribute of the [futureaction] shortcode, which executes in the browsers of all users viewing the affected page. The vulnerability stems from insufficient sanitization: the plugin uses esc_html() to escape the attribute value but then passes it as a bare HTML tag name in a sprintf() call, permitting event handler injection through spaces. Since administrators can delegate this functionality to lower-privileged contributors, the attack surface extends beyond high-privilege users.

XSS WordPress
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-4409 MEDIUM This Month

Subscribe To Comments Reloaded plugin for WordPress up to version 240119 allows unauthenticated attackers to extract a global secret key from public post pages and forge authorization tokens, enabling unauthorized modification of comment subscription preferences for arbitrary users. The vulnerability stems from weak hash generation and key exposure, affecting all installations without authentication requirements. Active exploitation potential is high given the trivial access vector (network, no user interaction) and the ability to manipulate user subscription data.

Information Disclosure WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5100 HIGH This Week

SQL injection in AWP Classifieds plugin for WordPress versions up to 4.4.5 allows remote unauthenticated attackers to extract sensitive database contents via array key manipulation in the 'regions' parameter. The vulnerability stems from insufficient escaping of user input in search functionality, affecting the plugin's query integration and page search components. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and no authentication required, this poses significant risk to WordPress sites running this classifieds plugin, though no public exploit or active exploitation has been identified at time of analysis.

SQLi WordPress
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-13618 CRITICAL Act Now

Privilege escalation in Mentoring theme for WordPress (all versions ≤1.2.8) allows unauthenticated remote attackers to create administrator accounts via broken registration role validation in mentoring_process_registration(). The flaw bypasses normal WordPress role restrictions, enabling complete site takeover without requiring any authentication or user interaction. CVSS 9.8 (critical) with network attack vector and no complexity barriers. EPSS and KEV data not provided, but the combination of unauthenticated admin account creation represents an imminent site compromise risk for all installations with registration enabled.

Privilege Escalation WordPress
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-6696 MEDIUM This Month

Reflected cross-site scripting in Zingaya Click-to-Call WordPress plugin up to version 1.0 allows unauthenticated attackers to inject arbitrary web scripts via the email, first_name, last_name, and phone parameters on the plugin's admin sign-up page. The vulnerability requires user interaction (clicking a malicious link) and results in session hijacking, credential theft, or defacement within the WordPress admin context. No public exploit code or active exploitation has been identified at the time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-4730 MEDIUM This Month

Stored cross-site scripting in Charts Ninja: Create Beautiful Graphs & Charts plugin for WordPress (all versions up to 2.1.0) allows authenticated contributors and above to inject arbitrary JavaScript via the 'chartid' shortcode attribute due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, potentially compromising site visitors and administrative accounts. No public exploit code or active exploitation has been confirmed at this time.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6701 MEDIUM This Month

Cross-Site Request Forgery in addfreespace WordPress plugin versions up to 0.1.3 allows unauthenticated attackers to update plugin settings and inject malicious scripts by tricking site administrators into clicking a forged link, exploiting missing nonce validation on settings update functions. The vulnerability requires user interaction (administrator click) and has low impact scope (integrity only, no confidentiality or availability loss), making it a moderate-risk CSRF attack vector in typical WordPress deployments.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-5722 CRITICAL Act Now

Authentication bypass in MoreConvert Pro for WordPress allows remote unauthenticated attackers to hijack any user account, including administrators, by exploiting token reuse in the guest waitlist verification flow. Attackers obtain a verification token for their own email, change the guest customer email to the target victim's email via the public waitlist API, then use the original token to authenticate as the victim. This critical vulnerability (CVSS 9.8) affects all versions through 1.9.14, with network-accessible, low-complexity exploitation requiring no privileges or user interaction. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis.

Authentication Bypass WordPress
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-25863 HIGH PATCH This Week

Denial-of-service condition in Conditional Fields for Contact Form 7 WordPress plugin allows remote unauthenticated attackers to crash PHP processes by injecting arbitrarily large iteration values through REST API parameters. The Wpcf7cfMailParser class processes user-supplied POST data without validation, enabling attackers to trigger unbounded loops with multiple regex operations that exhaust server memory. Affects all versions through 2.6.7 with vendor patch now available. EPSS data not provided, but the network-accessible unauthenticated attack vector (AV:N/PR:N) combined with low complexity (AC:L) indicates straightforward exploitation potential against publicly accessible WordPress sites running this plugin.

Denial Of Service PHP WordPress
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41471 HIGH POC Monitor

Unauthenticated attackers can enumerate and exfiltrate all customer order records from Easy PayPal Events & Tickets plugin for WordPress through an exposed QR code scanning endpoint. The scan_qr.php file accepts sequential WordPress post IDs without authentication, enabling complete database harvesting of payment and customer information. Publicly available exploit code exists, but no evidence of active exploitation (not in CISA KEV). The plugin was officially closed and removed from WordPress.org on 2026-03-18, leaving existing installations vulnerable with no official patch path.

Authentication Bypass WordPress Information Disclosure PHP
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-32834 HIGH POC Monitor

Hardcoded authentication bypass in Easy PayPal Events & Tickets plugin allows unauthenticated remote attackers to retrieve sensitive order data by supplying 'test' as the hash parameter to the QR code scanning endpoint. Attackers can access PayPal transaction IDs, customer emails, purchase amounts, and ticket information for any order by enumerating post IDs. Public exploit code exists on GitHub, significantly lowering the exploitation barrier. The plugin was officially closed by WordPress.org on 2026-03-18, leaving installations vulnerable with no future patches.

Authentication Bypass WordPress
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-5335 MEDIUM POC PATCH This Month

Magic Export & Import WordPress plugin before version 1.2.0 stores exported CSV files in a publicly accessible web directory, allowing unauthenticated remote attackers to enumerate and download sensitive user data without authentication. The vulnerability affects all versions prior to 1.2.0, has publicly available proof-of-concept code, and carries moderate real-world risk due to the low attack complexity and high automatable nature of exploitation, though the actual severity is constrained by the fact that CSV export must first occur and require that files remain accessible.

Path Traversal WordPress Information Disclosure
NVD WPScan
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-5337 MEDIUM POC This Month

Frontend File Manager Plugin for WordPress through version 23.6 allows authenticated Subscriber-level users and higher to read arbitrary files belonging to other users via insecure direct object reference (IDOR) in the download endpoint. By manipulating the 'file_id' parameter, attackers can bypass authorization checks and access sensitive data stored by administrators and other privileged users. Publicly available exploit code exists for this vulnerability, though EPSS scoring (0.02%) suggests limited real-world exploitation relative to its high CVSS rating.

Authentication Bypass WordPress Information Disclosure
NVD WPScan VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5063 HIGH This Week

Stored Cross-Site Scripting in NEX-Forms WordPress plugin versions ≤9.1.11 allows unauthenticated remote attackers to inject malicious JavaScript through crafted POST parameter key names during form submission. Exploitation requires no authentication (CVSS PR:N) and persists across page loads, affecting any user viewing injected content. The CVSS vector indicates changed scope (S:C), meaning attackers can impact resources beyond the vulnerable component's security scope. No active exploitation confirmed via CISA KEV at time of analysis, but WordPress XSS vulnerabilities typically see rapid weaponization once disclosed.

WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-0703 MEDIUM This Month

Stored cross-site scripting in NextMove Lite - Thank You Page for WooCommerce plugin allows authenticated attackers with contributor-level access to inject arbitrary JavaScript via the 'xlwcty_current_date' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browser of any user viewing affected pages, potentially compromising WordPress site integrity and user sessions. No public exploit code or active exploitation has been confirmed at the time of analysis.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2554 HIGH This Week

Authenticated vendors with low-level privileges can delete arbitrary WordPress users, including site administrators, via Insecure Direct Object Reference in WCFM - Frontend Manager for WooCommerce plugin versions up to 6.7.25. The vulnerability resides in the 'wcfm_delete_wcfm_customer' function which fails to validate user-controlled 'customerid' parameters, allowing privilege escalation through unauthorized user deletion. Patch available in version 6.7.26 per Trac changeset 3483695. No public exploit code or active exploitation confirmed at time of analysis, though CVSS 8.1 (High) reflects significant real-world impact if exploited by malicious vendors on WooCommerce marketplaces.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-3504 MEDIUM This Month

Unauthenticated remote attackers can extract sensitive user information including email addresses, usernames, and user IDs through the '/dokan/v1/stores/{id}/reviews' REST API endpoint in Dokan plugin versions up to 4.3.1. The vulnerability affects only installations with the Pro version activated and store reviews enabled, allowing information disclosure of all customers who left vendor reviews. No public exploit code has been identified, but the attack requires no authentication or user interaction and can be automated at scale.

WordPress Information Disclosure
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-6817 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in Quiz Maker by AYS WordPress plugin versions up to 6.7.1.29 allows unauthenticated attackers to inject arbitrary JavaScript through the 'rate_reason' parameter due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users who view affected pages, enabling credential theft, malware distribution, or defacement without requiring authentication or user interaction.

WordPress XSS
NVD VulDB
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-6320 HIGH This Week

Arbitrary file read in Salon Booking System plugin for WordPress (versions ≤10.30.25) allows unauthenticated remote attackers to exfiltrate sensitive local files by injecting malicious file paths into booking form fields, which are then attached to confirmation emails sent by the system. Wordfence identified this path traversal vulnerability (CWE-22) with a CVSS score of 7.5, exploitable without authentication or user interaction. The vulnerability is confirmed patched in version 10.30.26 via changeset 3512110, though no CISA KEV listing or public exploit code has been identified at time of analysis.

Path Traversal WordPress
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4061 HIGH This Week

Time-based blind SQL injection in Geo Mashup WordPress plugin allows unauthenticated remote attackers to extract database contents when Geo Search is enabled. The vulnerability stems from explicit removal of WordPress's built-in magic quotes protection via stripslashes_deep($_POST), combined with failure to sanitize the map_post_type parameter before SQL concatenation in an IN() clause. EPSS data not provided. No CISA KEV listing indicates this is not yet confirmed as actively exploited. Public exploit code status unknown, though detailed code references in Wordfence advisory provide clear exploitation path. Patch released in changeset 3503627.

WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4790 MEDIUM This Month

Stored Cross-Site Scripting in Premium Addons for Elementor plugin for WordPress up to version 4.11.70 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript via the 'custom_svg' parameter, which executes in the browsers of users viewing the affected pages. The vulnerability stems from insufficient input sanitization and output escaping on a user-controllable SVG parameter. No public exploit code or active exploitation has been identified at the time of analysis.

WordPress XSS Elementor
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-4062 HIGH This Week

Time-based SQL injection in Geo Mashup WordPress plugin versions ≤1.13.18 allows unauthenticated remote attackers to extract sensitive database information. The vulnerability stems from ineffective sanitization in the 'object_ids' and 'exclude_object_ids' parameters-while esc_sql() is applied, it provides no protection in unquoted IN() contexts where attackers can inject parentheses and SQL keywords. The numeric sanitizer exists but only applies to AJAX paths, leaving render-map.php and template tag paths vulnerable. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but Wordfence Threat Intelligence disclosure increases likelihood of weaponization.

PHP WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4100 HIGH This Week

Authenticated attackers with Subscriber-level access can disrupt all Stripe payment processing in Paid Memberships Pro for WordPress versions up to 3.6.5 by deleting, creating, or rebuilding webhook configurations. Missing capability checks on three AJAX handlers (pmpro_stripe_create_webhook, pmpro_stripe_delete_webhook, pmpro_stripe_rebuild_webhook) allow low-privilege users to break subscription renewals, cancellation handling, and failed payment management for the entire site. Patch available in PR #3615 implementing proper authorization checks requiring manage_options or pmpro_paymentsettings capabilities plus nonce validation. EPSS data not provided; no CISA KEV listing indicates no confirmed active exploitation at time of analysis.

Authentication Bypass WordPress
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-4060 HIGH This Week

Time-based SQL injection in WordPress Geo Mashup plugin ≤1.13.18 allows unauthenticated remote attackers to extract sensitive database information. The 'sort' parameter in multiple code paths (render-map.php, template tags) lacks proper sanitization despite esc_sql() application, which is ineffective in ORDER BY contexts without quote encapsulation. Version 1.13.18 added allowlist-based sanitization but only protected the AJAX endpoint, leaving other attack vectors exploitable. EPSS and KEV data not available; vulnerability disclosed by Wordfence with public source code references confirming the flaw.

PHP WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-5077 MEDIUM This Month

Stored Cross-Site Scripting in Total WordPress theme versions up to 2.2.1 allows authenticated contributors and above to inject arbitrary JavaScript via post titles in the home blog section. The vulnerability stems from insufficient output escaping when rendering post titles in HTML attribute context. Exploitation requires the malicious post to be published and displayed with a featured image on the home page, where the injected script will execute in the browsers of all users viewing the page. No public exploit code has been identified, and active exploitation has not been confirmed.

WordPress XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-5324 HIGH This Week

Unauthenticated attackers can inject stored cross-site scripting payloads into Brizy Page Builder for WordPress (versions ≤2.8.11) via form submission FileUpload fields, which execute when administrators view the form Leads page. The vulnerability chains three implementation flaws: missing nonce verification for anonymous form submissions, inadequate sanitization of FileUpload field values when no file is attached, and reversal of HTML entity encoding via html_entity_decode() before unescaped output in admin views. Publicly available exploit code exists. EPSS data not provided, but the CVSS 7.2 (High) with scope change reflects the privilege escalation from unauthenticated user to admin-context execution. Patch released in version 2.8.12 per WordPress plugin repository changeset 3502206.

PHP WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-4024 MEDIUM This Month

Unauthenticated attackers can modify form action metadata on WordPress posts through the Royal Addons for Elementor plugin (versions up to 1.7.1056) due to a missing capability check on the wpr_update_form_action_meta AJAX endpoint. The endpoint registers on both wp_ajax and wp_ajax_nopriv hooks, is accessible without authentication, and relies on a nonce that is publicly exposed in frontend JavaScript, allowing attackers to bypass the nonce protection and alter email, Mailchimp, and webhook settings on any post. This enables attackers to hijack form submissions, exfiltrate data via modified webhook URLs, or redirect emails to attacker-controlled addresses without any user interaction or special configuration required.

Authentication Bypass WordPress Elementor
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-6229 HIGH This Week

Server-Side Request Forgery (SSRF) in Royal Elementor Addons plugin for WordPress allows authenticated attackers with Contributor-level permissions to bypass URL validation by including 'docs.google.com/spreadsheets' in query parameters, enabling requests to arbitrary internal URLs and retrieval of sensitive data from private network services. Affects versions up to 1.7.1057. The CVSS vector indicates network-based attack with no authentication required (PR:N), contradicting the description's statement of Contributor-level requirement-affected site operators should verify actual privilege requirements with vendor advisory. No active exploitation confirmed (not in CISA KEV), but detailed source code references enable rapid POC development.

SSRF Google WordPress Elementor
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-6457 MEDIUM This Month

Time-based blind SQL injection in Geo Mashup WordPress plugin versions up to 1.13.19 allows authenticated attackers with subscriber-level access to extract sensitive database information via the 'geo_mashup_null_fields' parameter due to insufficient escaping and lack of prepared statement usage. The vulnerability requires valid WordPress authentication but grants high-confidence data confidentiality compromise without requiring user interaction, affecting all installations of this geolocation plugin with vulnerable versions active.

WordPress SQLi
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-6449 MEDIUM This Month

Unauthenticated attackers can approve any WordPress booking in 'waiting' status via the admin-ajax endpoint in Amelia plugin versions up to 2.1.2, due to a logical short-circuit flaw that skips token validation when the booking status matches a specific condition. An attacker can craft a direct request to the publicly-accessible endpoint to approve arbitrary bookings without authentication. This impacts all installations with pending bookings and exposes the booking workflow integrity across WordPress sites using this plugin.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2052 HIGH This Week

Remote code execution in Widget Options plugin for WordPress (all versions ≤4.2.2) allows authenticated Contributor-level users to execute arbitrary PHP code on the server by bypassing input validation in the Display Logic feature. The plugin's unsafe use of eval() on user-controlled expressions, combined with insufficient authorization checks on the extended_widget_opts_block attribute, enables attackers to chain array_map with string concatenation to bypass blocklists. Version 4.2.0 included a partial patch, indicating the vulnerability remains exploitable in current versions. No CISA KEV listing or public POC identified at time of analysis, but EPSS data not provided for risk calibration.

RCE WordPress Code Injection
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-4650 MEDIUM This Month

Unauthenticated attackers can bypass authorization controls in FundPress WordPress Donation Plugin versions up to 2.0.8 to arbitrarily modify donation statuses via the donate_action_status() AJAX handler, which lacks nonce verification and capability checks despite being exposed to unauthenticated users. By enumerating sequential donation IDs and sending crafted POST requests, attackers can mark donations as completed, pending, or cancelled, potentially triggering email notifications and corrupting donation records without any user interaction or authentication.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-7649 HIGH This Week

Time-based blind SQL injection in ARMember WordPress plugin versions up to 4.0.60 allows unauthenticated remote attackers to extract sensitive database information via the 'orderby' parameter. The vulnerability stems from insufficient input sanitization in the members directory and shortcode handling classes, enabling attackers to append malicious SQL queries without authentication (CVSS 7.5, AV:N/AC:L/PR:N/UI:N). EPSS data and active exploitation status not available at time of analysis, but the lack of authentication requirements and low attack complexity make this a high-priority remediation target for WordPress sites using ARMember for membership management or content restriction.

WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-5110 HIGH This Week

Stored cross-site scripting (XSS) in Gravity Forms WordPress plugin versions ≤2.10.0 allows remote unauthenticated attackers to inject malicious JavaScript that executes when administrators view form entries. The vulnerability exploits a validation bypass in nested SingleProduct fields within Repeater fields, where product name tampering is not validated. When admins access compromised entries via wp-admin, the unsanitized payload executes in their browser session. CVSS 7.2 (AV:N/AC:L/PR:N/UI:N) indicates network-accessible exploitation without authentication or user interaction during payload delivery, though the attack requires subsequent admin interaction (viewing the entry) for payload execution. No active exploitation confirmed in CISA KEV at time of analysis.

PHP WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-7647 HIGH This Week

Unauthenticated PHP object injection in Profile Builder Pro for WordPress allows remote attackers to execute arbitrary code by deserializing malicious objects through an unprotected AJAX endpoint. The vulnerability affects all versions through 3.14.5 and stems from unsafe deserialization of attacker-controlled POST data in the wppb_request_users_pins_action_callback() handler, which was registered for both authenticated and unauthenticated users without nonce verification. With CVSS 8.1 and AC:H complexity, exploitation requires chaining with a POP gadget chain, though EPSS data and KEV status are not available to confirm active exploitation.

PHP WordPress Deserialization
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-5111 HIGH This Week

Stored Cross-Site Scripting in Gravity Forms plugin for WordPress through version 2.10.0 allows unauthenticated remote attackers to inject malicious scripts via Hidden Product fields nested in Repeater fields. The vulnerability executes when WordPress administrators view submitted form entries. Attack succeeds because repeater subfields bypass validation, and the Hidden Product field's validate() method checks only quantity while ignoring the product name field, which renders unescaped in entry details. CVSS 7.2 with changed scope indicates potential cross-user impact. EPSS and KEV data not provided; exploitation requires no authentication or user interaction (AV:N/PR:N/UI:N), making this exploitable against any public-facing Gravity Forms installation accepting submissions.

WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-6447 MEDIUM This Month

Stored Cross-Site Scripting in Call for Price for WooCommerce plugin versions up to 4.2.0 allows authenticated administrators to inject arbitrary JavaScript via plugin settings that executes for all users visiting affected pages. The vulnerability requires administrator-level access and is limited to WordPress multisite installations or single-site installations with the unfiltered_html capability disabled, significantly reducing real-world exposure compared to the CVSS score of 4.4 suggests.

WordPress XSS
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-5109 HIGH This Week

Stored XSS in Gravity Forms for WordPress ≤2.10.0 allows unauthenticated remote attackers to inject malicious JavaScript through Product Option field values that execute when administrators view entry details. The flaw exploits a sanitization bypass: the plugin's state validation accepts values matching wp_kses()-cleaned legitimate options but stores the raw unsanitized input, which is then rendered without escaping in the Order Summary view (view-order-summary.php:32). EPSS data not available; no public exploit identified at time of analysis. Vendor patch status requires verification via changelog.

PHP WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-5112 HIGH This Week

Stored Cross-Site Scripting in Gravity Forms for WordPress up to 2.10.0 enables unauthenticated attackers to inject malicious scripts through form submissions containing crafted Calculation Product field names within Repeater fields. When administrators view entry details in wp-admin, the unescaped product names execute arbitrary JavaScript in the admin context. CVSS 7.2 (AV:N/AC:L/PR:N/UI:N/S:C) indicates network-accessible exploitation without authentication, though actual impact requires admin interaction. EPSS and KEV data not provided; no public exploit code confirmed at time of analysis. Wordfence reported this vulnerability affecting the Calculation Product field validation and rendering chain.

WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-5113 HIGH This Week

Stored Cross-Site Scripting in Gravity Forms plugin for WordPress allows unauthenticated remote attackers to inject malicious JavaScript into form entries that executes when administrators view the Entries List page. The vulnerability exploits a flawed dual-hash state validation mechanism that fails to prevent sanitized-then-restored XSS payloads in Consent field hidden inputs. Gravity Forms versions up to 2.10.0 are affected. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but Wordfence threat intelligence disclosure indicates vendor awareness and patching activity.

WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-6916 MEDIUM This Month

Stored cross-site scripting in Jeg Kit for Elementor WordPress plugin versions up to 3.1.0 allows authenticated contributors and above to inject arbitrary JavaScript via the 'sg_content_number_prefix' parameter, which executes when any user accesses the affected page. The vulnerability stems from insufficient input sanitization and output escaping in the Fun Fact widget element, affecting any WordPress site using this popular page builder addon. CVSS score of 6.4 reflects the network attack vector and broad scope, though exploitation requires valid contributor-level credentials.

WordPress XSS Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-7049 HIGH This Week

Server-Side Request Forgery in PixelYourSite Pro WordPress plugin allows unauthenticated remote attackers to force the web application to make arbitrary HTTP requests to internal or external resources through the vulnerable scan_video function. The vulnerability affects all versions up to 12.5.0.1 and features a Changed scope (CVSS S:C), enabling attackers to probe internal network infrastructure, access cloud metadata services, and potentially modify data in internal systems that trust requests from the WordPress server. The blind SSRF nature means attackers receive no direct response but can infer results through timing attacks or side-channel observation. EPSS data not available; no public exploit code identified at time of analysis.

SSRF WordPress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-6812 MEDIUM This Month

Server-Side Request Forgery in the Ona WordPress theme versions up to 1.26 via the ona_activate_child_theme function allows authenticated administrators to make arbitrary web requests originating from the affected server, enabling query and modification of internal services. The vulnerability requires administrator-level privileges and high attack complexity, limiting real-world exploitation to compromised or malicious admin accounts. No public exploit code or active exploitation has been identified.

SSRF WordPress
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-7641 HIGH This Week

Authenticated privilege escalation in 'Import and export users and customers' WordPress plugin versions up to 2.0.8 allows Subscriber-level users to elevate privileges to Administrator on any subsite within a WordPress Multisite network. The vulnerability stems from an incomplete blocklist in save_extra_user_profile_fields() that restricts primary site capability meta keys (wp_capabilities) but fails to block multisite-prefixed equivalents (wp_2_capabilities, wp_3_capabilities, etc.). Exploitation requires that an administrator has previously imported a CSV with multisite-prefixed capability headers and enabled the 'Show fields in profile?' option. Patch released in changeset 3515646 per WordPress plugin repository. No EPSS or KEV data available, indicating no widespread exploitation detected at time of analysis.

Privilege Escalation WordPress PHP
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7458 CRITICAL Act Now

Authentication bypass in User Verification by PickPlugins for WordPress allows remote unauthenticated attackers to log in as any user with a verified email - including administrators - by submitting the string 'true' as the OTP code. The vulnerability stems from a loose PHP comparison operator (==) in the OTP validation logic, which treats the boolean true as equal to any non-zero numeric OTP value. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents complete system compromise risk for WordPress sites running vulnerable versions (≤2.0.46). Fixed in version 2.0.47 per Wordfence advisory and WordPress plugin repository changeset 3519113.

PHP WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-6963 HIGH This Week

Missing capability check in WP Mail Gateway plugin for WordPress (versions ≤1.8) allows authenticated attackers with Subscriber-level privileges to modify SMTP settings via the wmg_save_provider_config AJAX action, enabling mail redirection. Attackers exploit this by redirecting password reset emails to attacker-controlled servers, then using intercepted credentials to escalate privileges to Administrator. CVSS 8.8 (High) reflects the severe impact despite requiring initial low-level authentication. No active exploitation confirmed via CISA KEV, but Wordfence reporting indicates discovery by security researchers and likely inclusion in their threat intelligence feeds.

Authentication Bypass WordPress Privilege Escalation
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6446 MEDIUM This Month

My Social Feeds - Social Feeds Embedder WordPress plugin up to version 1.0.4 exposes sensitive TikTok OAuth credentials via an unauthenticated AJAX endpoint due to missing authorization and nonce checks. Authenticated attackers with Subscriber-level access can retrieve stored access_token and refresh_token values belonging to administrator-connected TikTok accounts, enabling them to impersonate the site owner in TikTok API interactions. No public exploit code or active exploitation has been reported at the time of analysis, though the vulnerability is trivial to exploit once network access is established.

WordPress Information Disclosure
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-4882 CRITICAL Act Now

Unrestricted file upload in User Registration Advanced Fields plugin for WordPress (≤1.6.20) allows remote unauthenticated attackers to upload executable files and achieve code execution on the web server when Profile Picture fields are enabled in registration forms. Wordfence has documented this critical vulnerability affecting all versions through 1.6.20, with exploitation possible against any site using the Profile Picture form field feature without authentication or user interaction required.

WordPress File Upload RCE
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-4658 MEDIUM This Month

Stored Cross-Site Scripting in Essential Blocks WordPress plugin versions up to 6.0.4 allows authenticated Contributor-level users to inject arbitrary JavaScript into the Add to Cart block via unescaped className, classHook, and blockId attributes, executing malicious scripts in pages viewed by any site visitor. The vulnerability stems from use of raw sprintf() and implode() functions without WordPress escaping functions (esc_attr) in the render_callback() function, despite the outer wrapper using proper escaping. CVSS 6.4 (medium) reflects the requirement for authenticated access; however, the stored nature and cross-site scope elevate real-world risk on multi-author WordPress sites.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14726 MEDIUM POC This Month

Unauthenticated attackers can access and modify plugin settings in the Widgets for Social Photo Feed WordPress plugin through missing capability checks on two REST API endpoints, allowing unauthorized data access and configuration changes in all versions up to and including 1.8. The vulnerability requires only network access with no user interaction, making it trivially exploitable by remote attackers without authentication credentials.

Authentication Bypass WordPress Information Disclosure
NVD VulDB GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7638 MEDIUM This Month

Authenticated attackers with Subscriber-level access can modify the profile avatar of any WordPress user, including administrators, via an Insecure Direct Object Reference in the App Builder - Create Native Android & iOS Apps On The Flight plugin versions up to 5.6.0. The `/wp-json/app-builder/v1/upload-avatar` endpoint fails to validate that the authenticated user owns the target account before processing avatar uploads, allowing privilege escalation and account compromise through arbitrary user_id parameter submission in POST requests. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Google WordPress Apple
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-7209 MEDIUM This Month

Stored Cross-Site Scripting in Simple Link Directory plugin for WordPress up to version 8.9.2 allows authenticated contributors and above to inject arbitrary JavaScript through insufficiently sanitized shortcode attributes like `title_font_size`, which executes in the browsers of all users accessing affected pages. The vulnerability affects the `qcopd-directory` shortcode and requires contributor-level WordPress access to exploit, making it a moderate-to-high risk for multi-author WordPress sites without strict role management.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6378 MEDIUM This Month

Stored cross-site scripting in Maxi Blocks plugin for WordPress versions up to 2.1.9 allows authenticated attackers with Author-level access and above to inject arbitrary JavaScript via the `/wp-json/maxi-blocks/v1.0/style-card` REST API endpoint through insufficient sanitization of the `sc_styles` parameter. Injected scripts execute on every page where style card styles are loaded, including the WordPress admin panel, affecting all website visitors and administrators. The vendor released patched version 2.1.10 on 27 April 2026 with input sanitization fixes (wp_strip_all_tags applied to sc_styles parameter) and privilege escalation mitigation in the image crop functionality.

WordPress XSS
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-3143 MEDIUM This Month

Unauthenticated attackers can cancel pending rollbacks in Total Upkeep WordPress Backup Plugin by BoldGrid (versions up to 1.17.1) due to missing capability checks on the wp_ajax_cli_cancel AJAX function, allowing malicious users to prevent automatic recovery from failed WordPress updates. CVSS 5.3 (network-accessible, low complexity) reflects the integrity impact and lack of authentication requirement, though real-world impact depends on whether rollback operations are actively pending during an update failure.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3140 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Ultimate Dashboard for WordPress up to version 3.8.14 allows unauthenticated attackers to toggle plugin modules on or off by tricking site administrators into clicking a malicious link. The vulnerability stems from flawed nonce validation in the 'handle_module_actions' function, enabling attackers to modify plugin configuration without user consent. No public exploit code or active exploitation has been identified at this time.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3772 HIGH This Week

Cross-Site Request Forgery in WP Editor plugin through version 1.2.9.2 enables remote attackers to inject arbitrary PHP code into plugin and theme files. The vulnerability requires administrator interaction (clicking a malicious link) but no authentication for the attacker, allowing complete website compromise through file overwrite. EPSS data not available; no confirmed active exploitation at time of analysis. Patch available in changeset 3480577.

CSRF PHP WordPress
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7567 CRITICAL POC Act Now

Authentication bypass in the Temporary Login WordPress plugin (versions ≤1.0.0) allows remote unauthenticated attackers to authenticate as any temporary login user via a single crafted GET request. The vulnerability exploits a type juggling flaw where passing 'temp-login-token' as an array bypasses validation checks and causes WordPress to return all users with temporary login tokens, enabling complete account takeover without knowledge of valid credentials. CVSS 9.8 (Critical) with network attack vector and no prerequisites. EPSS data not available; exploitation requires the presence of active temporary login accounts created by site administrators.

Authentication Bypass WordPress
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2024-13362 MEDIUM This Month

Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Elementor
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-6127 MEDIUM This Month

Stored cross-site scripting in Elementor Website Builder plugin for WordPress up to version 4.0.4 allows authenticated contributors to inject arbitrary JavaScript via form-encoded REST API requests to the _elementor_data meta field. The vulnerability bypasses sanitization by exploiting a json_decode() failure on non-JSON request bodies, causing unsanitized data to be stored and later output without escaping in widget rendering functions. Contributors and above can inject malicious scripts that execute for all users viewing affected pages, compromising site integrity and user sessions.

WordPress XSS Elementor
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2892 HIGH This Week

Unauthenticated attackers can bypass Stripe payment gates in Otter Blocks for WordPress ≤3.1.4 by forging the 'o_stripe_data' cookie with publicly visible product IDs from checkout block HTML source, gaining unauthorized access to premium content. The plugin's 'get_customer_data' method accepts unsigned cookie data without server-side Stripe API verification for one-time purchases, enabling trivial exploitation with no authentication required. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects high confidentiality impact from accessing gated content. EPSS data unavailable; no active exploitation or POC confirmed at time of analysis, but the attack requires only basic HTTP cookie manipulation skills.

WordPress Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-6498 MEDIUM This Month

Five Star Restaurant Reservations plugin for WordPress versions up to 2.7.16 allows unauthenticated attackers to bypass payment verification through PHP type juggling in the valid_payment() function. The vulnerability exists in the rtb_stripe_pmt_succeed AJAX handler, which uses loose comparison (==) between attacker-supplied payment_id and the booking's stripe_payment_intent_id. When the intent ID is null (before Stripe intent creation), an empty payment_id parameter passes validation, enabling attackers to mark payment-pending bookings as paid without completing actual Stripe payments. This permits unauthorized order fulfillment and revenue loss for affected WordPress sites.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2902 MEDIUM This Month

The WP Meteor Website Speed Optimization Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'frontend_rewrite' function's 'WPMETEOR[N]WPMETEOR' placeholder content in all versions up to, and including, 3.4.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-4019 MEDIUM This Month

The Complianz - GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to unauthorized data access in all versions up to, and including, 7.4.5 This is due to the REST API endpoint at /wp-json/complianz/v1/consent-area/{post_id}/{block_id} using __return_true as the permission_callback, allowing any unauthenticated user to access it. The cmplz_rest_consented_content() function retrieves a post by ID via get_post() and returns the consentedContent attribute of any complianz/consent-area block found in it, without checking if the post is published or if the user has permission to read it. This makes it possible for unauthenticated attackers to read the consent area block content from private, draft, or unpublished posts.

WordPress Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4805 MEDIUM This Month

Stored cross-site scripting (XSS) in the Woostify WordPress plugin through version 2.5.0 allows authenticated attackers with Contributor-level access and above to inject arbitrary JavaScript into pages via unsanitized href attributes in the bundled Lity.js lightbox library. The injected scripts execute in the browsers of any user visiting the compromised page, enabling account takeover, credential theft, and malware distribution. No public exploit code has been identified at the time of analysis, but the vulnerability requires only low complexity network access with authenticated credentials.

WordPress XSS
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4911 MEDIUM This Month

Booking Package plugin for WordPress up to version 1.7.06 allows unauthenticated attackers to manipulate booking prices via the intentForStripe() function, which accepts unsanitized $_POST['amount'] values and passes them directly to the Stripe PaymentIntent API without validation. The vulnerability is compounded by commented-out code in CreditCard.php that would normally enforce server-calculated pricing, enabling attackers to complete bookings at arbitrary prices (e.g., $0.01 instead of $500.00) with no authentication required. This is a confirmed price manipulation vulnerability with no active KEV exploitation reported but represents significant financial fraud risk.

PHP WordPress RCE
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-5306 MEDIUM POC PATCH This Month

Stored XSS vulnerability in Check & Log Email WordPress plugin before version 2.0.13 allows authenticated users with low privileges to inject malicious scripts via improper email replacement handling when the email encoder setting is enabled. The vulnerability requires user interaction (UI:R) to execute, affecting confidentiality and integrity with cross-site scope. Publicly available exploit code exists but exploitation probability remains low (EPSS 0.05%, percentile 17%), indicating this is not a widely targeted vulnerability despite public awareness.

WordPress XSS
NVD WPScan
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-6725 MEDIUM This Month

Stored cross-site scripting in WPC Smart Messages for WooCommerce plugin through version 4.2.8 allows authenticated attackers with contributor-level access to inject arbitrary JavaScript via the 'text' attribute of the wpcsm_text_rotator shortcode, resulting in execution whenever users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping. No active exploitation confirmed; patch available in version 4.2.9.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6809 MEDIUM This Month

Stored Cross-Site Scripting in Social Post Embed plugin for WordPress up to version 2.0.1 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into page content via the Threads embed handler due to insufficient input sanitization and output escaping. Injected scripts execute when any user views the affected page, enabling session hijacking, credential theft, or malware distribution from trusted WordPress sites. No public exploit code or active exploitation has been identified at the time of analysis.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6551 MEDIUM This Month

Stored Cross-Site Scripting in Timeline Blocks for Gutenberg WordPress plugin through version 1.1.10 allows authenticated contributors and above to inject arbitrary JavaScript via the 'titleTag' attribute of the timeline-blocks/tb-timeline-blocks block, executing malicious scripts whenever any user views the affected page. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied block attributes. Exploitation requires WordPress contributor-level access or higher and affects all versions up to 1.1.10.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6741 HIGH This Week

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.

WordPress Privilege Escalation Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7106 HIGH This Week

Authenticated attackers with Subscriber-level privileges can escalate to Administrator role in Highland Software Custom Role Manager for WordPress via profile update exploitation. The hscrm_save_user_roles() function lacks capability checks on the personal_options_update hook, allowing low-privilege users to modify arbitrary user roles including their own. Version 1.0.1 released with authorization fixes. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. EPSS data not provided, no CISA KEV listing identified, indicating limited widespread exploitation despite the severity of self-service privilege escalation to site administrator.

WordPress Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3569 MEDIUM This Month

Liaison Site Prober plugin for WordPress allows unauthenticated attackers to retrieve sensitive audit log data including IP addresses, user IDs, usernames, and login events through an improperly secured REST API endpoint (/wp-json/site-prober/v1/logs) in all versions up to 1.2.1. The vulnerability stems from a permission callback that unconditionally returns true without validating user capabilities, enabling information disclosure with network-level access and no authentication required. No public exploit code or active exploitation has been identified at time of analysis.

Information Disclosure WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4078 MEDIUM This Month

Stored Cross-Site Scripting in ITERAS WordPress plugin version 1.8.2 and earlier allows authenticated attackers with Contributor-level privileges to inject arbitrary JavaScript code via shortcode attributes (iteras-ordering, iteras-signup, iteras-paywall-login, iteras-selfservice) due to insufficient input sanitization in the combine_attributes() function. When a user accesses a page containing the malicious shortcode, the injected script executes in their browser context, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at time of analysis.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3565 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Taqnix WordPress plugin versions up to 1.0.3 allows unauthenticated attackers to trick logged-in users into deleting their own accounts via a forged request. The vulnerability stems from a commented-out nonce verification check in the taqnix_delete_my_account() function, making account deletion unprotected against CSRF attacks. No public exploit code or active exploitation has been identified, though the attack requires user interaction (clicking a malicious link or visiting a compromised page).

WordPress CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
EPSS 0% CVSS 6.5
MEDIUM This Month

GenerateBlocks plugin for WordPress up to version 2.2.0 fails to verify object-level authorization on the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint, allowing authenticated Contributor-level users to extract sensitive information from arbitrary posts including author email addresses and post meta values through crafted dynamic tag payloads. The vulnerability checks only for edit_posts capability but does not verify access to specific posts, exposing confidential data across the entire site to low-privilege authenticated users.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

ElementsKit Elementor Addons plugin for WordPress versions up to 3.8.2 allows unauthenticated attackers to overwrite Elementor widget content via a missing capability check in the Live_Action::reset() function. By crafting a URL with specific GET parameters (post and action=elementor), attackers can permanently replace any elementskit_widget custom post type's design, text, and configurations with a blank template, causing data loss without requiring authentication or user interaction.

Authentication Bypass WordPress Elementor
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Royal Addons for Elementor's Instagram Feed widget allows authenticated contributors and above to inject arbitrary JavaScript via the 'instagram_follow_text' setting, which executes in the browsers of all users viewing the affected page. The vulnerability affects all versions up to 1.7.1056 and requires the Instagram Feed widget to be previously configured with a valid access token by an administrator. No public exploit code or active exploitation has been confirmed at this time.

XSS WordPress Elementor
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in WP Carousel Free plugin for WordPress affects all versions up to 2.7.10, allowing authenticated attackers with Contributor-level access to inject arbitrary JavaScript via malformed carousel container IDs in the fancybox `data-caption` attribute. The vulnerability arises when the fancybox configuration script fails to initialize due to unsanitized DOM selectors, causing the bundled fancybox library v3.5.7 to fall back to unsafe default caption handling that renders HTML directly. This enables script execution in the context of site visitors clicking images in the compromised carousel lightbox. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored Cross-Site Scripting in Royal Elementor Addons WordPress plugin allows unauthenticated remote attackers to inject malicious scripts that execute in victim browsers. The vulnerability exists in all versions up to 1.7.1056 due to a publicly leaked static nonce that bypasses authentication checks for the wpr_update_form_action_meta AJAX endpoint. Combined with insufficient input sanitization on the 'status' parameter, attackers can inject persistent XSS payloads without authentication. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

XSS WordPress Elementor
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

EmailKit plugin for WordPress versions up to 1.6.5 allows authenticated attackers with Author-level access to read arbitrary files from the server due to a path traversal vulnerability in the create_template() method. The vulnerability exploits a PHP 8.x type coercion flaw where realpath() returns false for non-existent directories, causing strpos() validation to incorrectly evaluate and bypass directory restrictions. Attackers can retrieve sensitive files such as wp-config.php by submitting absolute paths via the emailkit-editor-template REST API parameter. No public exploit code identified at time of analysis, though the vulnerability mechanism is trivial to weaponize once authentication is obtained.

PHP WordPress Path Traversal
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Server-Side Request Forgery in Gutenverse - Ultimate WordPress FSE Blocks Addons & Ecosystem plugin versions up to 3.5.3 allows authenticated contributors and above to initiate arbitrary web requests from the vulnerable server via the import_images() function, enabling query and modification of internal services. The vulnerability is exploitable without user interaction over the network, affecting sites with contributor-level users or higher.

SSRF WordPress
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in Geeky Bot WordPress plugin versions ≤1.2.2 allows unauthenticated attackers to install arbitrary plugins and execute code on affected sites. The vulnerability exploits a missing authorization check in a nopriv AJAX handler that permits attacker-controlled function dispatch to a plugin installer, enabling download and extraction of malicious ZIP files directly into wp-content/plugins/. With CVSS 9.8 (critical), network-exploitable without authentication, and EPSS data unavailable, this represents a severe risk to all WordPress sites running vulnerable versions until patched.

Authentication Bypass RCE WordPress
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated SQL injection in GeekyBot WordPress plugin allows remote attackers to extract sensitive database contents via the 'attributekey' parameter. Affects all versions through 1.2.0. The CVSS 7.5 rating reflects network-based exploitation requiring no authentication or user interaction, with high confidentiality impact. Wordfence Threat Intelligence identified this vulnerability, with a patch committed in changeset 3474168. No active exploitation confirmed in CISA KEV at time of analysis, though the trivial attack complexity (AC:L) and unauthenticated vector (PR:N) make this a realistic target for automated scanning and exploitation.

SQLi WordPress
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

Loco Translate plugin for WordPress versions up to 2.8.2 allows authenticated attackers with Translator-level access to read arbitrary files outside the intended translation directory via path traversal in the `fsReference` AJAX endpoint. The vulnerability exploits insufficient validation of directory traversal sequences (`../`) in the `findSourceFile()` method, enabling disclosure of sensitive `.php`, `.js`, `.json`, and `.twig` files including wp-config.php-adjacent files. No public exploit code has been identified at time of analysis, and the attack requires administrative capability assignment (`loco_admin` capability) granted to translators by default.

PHP WordPress Path Traversal
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in WP-Clippy plugin for WordPress up to version 1.0.0 allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript via the `clippy` shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page. No public exploit code or active exploitation has been identified at the time of analysis.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Simple Owl Shortcodes WordPress plugin versions up to 2.1.1 allows authenticated contributors and above to inject arbitrary JavaScript via the 'num' attribute of the 'owls_wrapper' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed at the time of analysis.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in Blog Settings plugin for WordPress versions up to 1.0 allows unauthenticated attackers to inject arbitrary JavaScript via the 'page' parameter due to insufficient input sanitization and output escaping. An attacker must trick a user into clicking a malicious link to execute the injected script in the victim's browser session, potentially compromising WordPress admin credentials or site functionality.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Gutenverse - Ultimate WordPress FSE Blocks Addons & Ecosystem plugin up to version 3.5.3 allows authenticated attackers with contributor-level access to inject arbitrary JavaScript into pages via the 'separatorIconSVG' parameter, executing malicious scripts whenever users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping. No public exploit code or active exploitation has been identified at the time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-Site Request Forgery in Publish 2 Ping.fm WordPress plugin up to version 1.1 allows unauthenticated attackers to modify plugin settings and inject malicious scripts by tricking site administrators into clicking a crafted link, exploiting missing nonce validation on the admin settings page. The vulnerability requires user interaction (admin click) and affects the plugin's confidentiality and integrity but not availability. No public exploit code or active exploitation has been confirmed.

PHP CSRF WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) in DX Sources plugin for WordPress up to version 2.0.1 allows unauthenticated attackers to modify plugin configuration options by tricking a logged-in administrator into clicking a malicious link. The vulnerability stems from missing nonce validation in the settings_page_build function, enabling attackers to alter plugin settings without administrative consent. No active exploitation has been confirmed at the time of analysis.

CSRF WordPress
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Stored cross-site scripting (XSS) in PublishPress Future WordPress plugin versions up to 4.10.0 allows authenticated administrators to inject arbitrary JavaScript via the 'wrapper' attribute of the [futureaction] shortcode, which executes in the browsers of all users viewing the affected page. The vulnerability stems from insufficient sanitization: the plugin uses esc_html() to escape the attribute value but then passes it as a bare HTML tag name in a sprintf() call, permitting event handler injection through spaces. Since administrators can delegate this functionality to lower-privileged contributors, the attack surface extends beyond high-privilege users.

XSS WordPress
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Subscribe To Comments Reloaded plugin for WordPress up to version 240119 allows unauthenticated attackers to extract a global secret key from public post pages and forge authorization tokens, enabling unauthorized modification of comment subscription preferences for arbitrary users. The vulnerability stems from weak hash generation and key exposure, affecting all installations without authentication requirements. Active exploitation potential is high given the trivial access vector (network, no user interaction) and the ability to manipulate user subscription data.

Information Disclosure WordPress
NVD
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in AWP Classifieds plugin for WordPress versions up to 4.4.5 allows remote unauthenticated attackers to extract sensitive database contents via array key manipulation in the 'regions' parameter. The vulnerability stems from insufficient escaping of user input in search functionality, affecting the plugin's query integration and page search components. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and no authentication required, this poses significant risk to WordPress sites running this classifieds plugin, though no public exploit or active exploitation has been identified at time of analysis.

SQLi WordPress
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in Mentoring theme for WordPress (all versions ≤1.2.8) allows unauthenticated remote attackers to create administrator accounts via broken registration role validation in mentoring_process_registration(). The flaw bypasses normal WordPress role restrictions, enabling complete site takeover without requiring any authentication or user interaction. CVSS 9.8 (critical) with network attack vector and no complexity barriers. EPSS and KEV data not provided, but the combination of unauthenticated admin account creation represents an imminent site compromise risk for all installations with registration enabled.

Privilege Escalation WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting in Zingaya Click-to-Call WordPress plugin up to version 1.0 allows unauthenticated attackers to inject arbitrary web scripts via the email, first_name, last_name, and phone parameters on the plugin's admin sign-up page. The vulnerability requires user interaction (clicking a malicious link) and results in session hijacking, credential theft, or defacement within the WordPress admin context. No public exploit code or active exploitation has been identified at the time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Charts Ninja: Create Beautiful Graphs & Charts plugin for WordPress (all versions up to 2.1.0) allows authenticated contributors and above to inject arbitrary JavaScript via the 'chartid' shortcode attribute due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, potentially compromising site visitors and administrative accounts. No public exploit code or active exploitation has been confirmed at this time.

XSS WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in addfreespace WordPress plugin versions up to 0.1.3 allows unauthenticated attackers to update plugin settings and inject malicious scripts by tricking site administrators into clicking a forged link, exploiting missing nonce validation on settings update functions. The vulnerability requires user interaction (administrator click) and has low impact scope (integrity only, no confidentiality or availability loss), making it a moderate-risk CSRF attack vector in typical WordPress deployments.

CSRF WordPress
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in MoreConvert Pro for WordPress allows remote unauthenticated attackers to hijack any user account, including administrators, by exploiting token reuse in the guest waitlist verification flow. Attackers obtain a verification token for their own email, change the guest customer email to the target victim's email via the public waitlist API, then use the original token to authenticate as the victim. This critical vulnerability (CVSS 9.8) affects all versions through 1.9.14, with network-accessible, low-complexity exploitation requiring no privileges or user interaction. EPSS data not available; no confirmed active exploitation or public POC identified at time of analysis.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial-of-service condition in Conditional Fields for Contact Form 7 WordPress plugin allows remote unauthenticated attackers to crash PHP processes by injecting arbitrarily large iteration values through REST API parameters. The Wpcf7cfMailParser class processes user-supplied POST data without validation, enabling attackers to trigger unbounded loops with multiple regex operations that exhaust server memory. Affects all versions through 2.6.7 with vendor patch now available. EPSS data not provided, but the network-accessible unauthenticated attack vector (AV:N/PR:N) combined with low complexity (AC:L) indicates straightforward exploitation potential against publicly accessible WordPress sites running this plugin.

Denial Of Service PHP WordPress
NVD VulDB
EPSS 0% CVSS 8.2
HIGH POC Monitor

Unauthenticated attackers can enumerate and exfiltrate all customer order records from Easy PayPal Events & Tickets plugin for WordPress through an exposed QR code scanning endpoint. The scan_qr.php file accepts sequential WordPress post IDs without authentication, enabling complete database harvesting of payment and customer information. Publicly available exploit code exists, but no evidence of active exploitation (not in CISA KEV). The plugin was officially closed and removed from WordPress.org on 2026-03-18, leaving existing installations vulnerable with no official patch path.

Authentication Bypass WordPress Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH POC Monitor

Hardcoded authentication bypass in Easy PayPal Events & Tickets plugin allows unauthenticated remote attackers to retrieve sensitive order data by supplying 'test' as the hash parameter to the QR code scanning endpoint. Attackers can access PayPal transaction IDs, customer emails, purchase amounts, and ticket information for any order by enumerating post IDs. Public exploit code exists on GitHub, significantly lowering the exploitation barrier. The plugin was officially closed by WordPress.org on 2026-03-18, leaving installations vulnerable with no future patches.

Authentication Bypass WordPress
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Magic Export & Import WordPress plugin before version 1.2.0 stores exported CSV files in a publicly accessible web directory, allowing unauthenticated remote attackers to enumerate and download sensitive user data without authentication. The vulnerability affects all versions prior to 1.2.0, has publicly available proof-of-concept code, and carries moderate real-world risk due to the low attack complexity and high automatable nature of exploitation, though the actual severity is constrained by the fact that CSV export must first occur and require that files remain accessible.

Path Traversal WordPress Information Disclosure
NVD WPScan
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Frontend File Manager Plugin for WordPress through version 23.6 allows authenticated Subscriber-level users and higher to read arbitrary files belonging to other users via insecure direct object reference (IDOR) in the download endpoint. By manipulating the 'file_id' parameter, attackers can bypass authorization checks and access sensitive data stored by administrators and other privileged users. Publicly available exploit code exists for this vulnerability, though EPSS scoring (0.02%) suggests limited real-world exploitation relative to its high CVSS rating.

Authentication Bypass WordPress Information Disclosure
NVD WPScan VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored Cross-Site Scripting in NEX-Forms WordPress plugin versions ≤9.1.11 allows unauthenticated remote attackers to inject malicious JavaScript through crafted POST parameter key names during form submission. Exploitation requires no authentication (CVSS PR:N) and persists across page loads, affecting any user viewing injected content. The CVSS vector indicates changed scope (S:C), meaning attackers can impact resources beyond the vulnerable component's security scope. No active exploitation confirmed via CISA KEV at time of analysis, but WordPress XSS vulnerabilities typically see rapid weaponization once disclosed.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in NextMove Lite - Thank You Page for WooCommerce plugin allows authenticated attackers with contributor-level access to inject arbitrary JavaScript via the 'xlwcty_current_date' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browser of any user viewing affected pages, potentially compromising WordPress site integrity and user sessions. No public exploit code or active exploitation has been confirmed at the time of analysis.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Authenticated vendors with low-level privileges can delete arbitrary WordPress users, including site administrators, via Insecure Direct Object Reference in WCFM - Frontend Manager for WooCommerce plugin versions up to 6.7.25. The vulnerability resides in the 'wcfm_delete_wcfm_customer' function which fails to validate user-controlled 'customerid' parameters, allowing privilege escalation through unauthorized user deletion. Patch available in version 6.7.26 per Trac changeset 3483695. No public exploit code or active exploitation confirmed at time of analysis, though CVSS 8.1 (High) reflects significant real-world impact if exploited by malicious vendors on WooCommerce marketplaces.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated remote attackers can extract sensitive user information including email addresses, usernames, and user IDs through the '/dokan/v1/stores/{id}/reviews' REST API endpoint in Dokan plugin versions up to 4.3.1. The vulnerability affects only installations with the Pro version activated and store reviews enabled, allowing information disclosure of all customers who left vendor reviews. No public exploit code has been identified, but the attack requires no authentication or user interaction and can be automated at scale.

WordPress Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.8
MEDIUM This Month

Stored Cross-Site Scripting (XSS) in Quiz Maker by AYS WordPress plugin versions up to 6.7.1.29 allows unauthenticated attackers to inject arbitrary JavaScript through the 'rate_reason' parameter due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users who view affected pages, enabling credential theft, malware distribution, or defacement without requiring authentication or user interaction.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary file read in Salon Booking System plugin for WordPress (versions ≤10.30.25) allows unauthenticated remote attackers to exfiltrate sensitive local files by injecting malicious file paths into booking form fields, which are then attached to confirmation emails sent by the system. Wordfence identified this path traversal vulnerability (CWE-22) with a CVSS score of 7.5, exploitable without authentication or user interaction. The vulnerability is confirmed patched in version 10.30.26 via changeset 3512110, though no CISA KEV listing or public exploit code has been identified at time of analysis.

Path Traversal WordPress
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Time-based blind SQL injection in Geo Mashup WordPress plugin allows unauthenticated remote attackers to extract database contents when Geo Search is enabled. The vulnerability stems from explicit removal of WordPress's built-in magic quotes protection via stripslashes_deep($_POST), combined with failure to sanitize the map_post_type parameter before SQL concatenation in an IN() clause. EPSS data not provided. No CISA KEV listing indicates this is not yet confirmed as actively exploited. Public exploit code status unknown, though detailed code references in Wordfence advisory provide clear exploitation path. Patch released in changeset 3503627.

WordPress SQLi
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored Cross-Site Scripting in Premium Addons for Elementor plugin for WordPress up to version 4.11.70 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript via the 'custom_svg' parameter, which executes in the browsers of users viewing the affected pages. The vulnerability stems from insufficient input sanitization and output escaping on a user-controllable SVG parameter. No public exploit code or active exploitation has been identified at the time of analysis.

WordPress XSS Elementor
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Time-based SQL injection in Geo Mashup WordPress plugin versions ≤1.13.18 allows unauthenticated remote attackers to extract sensitive database information. The vulnerability stems from ineffective sanitization in the 'object_ids' and 'exclude_object_ids' parameters-while esc_sql() is applied, it provides no protection in unquoted IN() contexts where attackers can inject parentheses and SQL keywords. The numeric sanitizer exists but only applies to AJAX paths, leaving render-map.php and template tag paths vulnerable. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but Wordfence Threat Intelligence disclosure increases likelihood of weaponization.

PHP WordPress SQLi
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Authenticated attackers with Subscriber-level access can disrupt all Stripe payment processing in Paid Memberships Pro for WordPress versions up to 3.6.5 by deleting, creating, or rebuilding webhook configurations. Missing capability checks on three AJAX handlers (pmpro_stripe_create_webhook, pmpro_stripe_delete_webhook, pmpro_stripe_rebuild_webhook) allow low-privilege users to break subscription renewals, cancellation handling, and failed payment management for the entire site. Patch available in PR #3615 implementing proper authorization checks requiring manage_options or pmpro_paymentsettings capabilities plus nonce validation. EPSS data not provided; no CISA KEV listing indicates no confirmed active exploitation at time of analysis.

Authentication Bypass WordPress
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Time-based SQL injection in WordPress Geo Mashup plugin ≤1.13.18 allows unauthenticated remote attackers to extract sensitive database information. The 'sort' parameter in multiple code paths (render-map.php, template tags) lacks proper sanitization despite esc_sql() application, which is ineffective in ORDER BY contexts without quote encapsulation. Version 1.13.18 added allowlist-based sanitization but only protected the AJAX endpoint, leaving other attack vectors exploitable. EPSS and KEV data not available; vulnerability disclosed by Wordfence with public source code references confirming the flaw.

PHP WordPress SQLi
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored Cross-Site Scripting in Total WordPress theme versions up to 2.2.1 allows authenticated contributors and above to inject arbitrary JavaScript via post titles in the home blog section. The vulnerability stems from insufficient output escaping when rendering post titles in HTML attribute context. Exploitation requires the malicious post to be published and displayed with a featured image on the home page, where the injected script will execute in the browsers of all users viewing the page. No public exploit code has been identified, and active exploitation has not been confirmed.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Unauthenticated attackers can inject stored cross-site scripting payloads into Brizy Page Builder for WordPress (versions ≤2.8.11) via form submission FileUpload fields, which execute when administrators view the form Leads page. The vulnerability chains three implementation flaws: missing nonce verification for anonymous form submissions, inadequate sanitization of FileUpload field values when no file is attached, and reversal of HTML entity encoding via html_entity_decode() before unescaped output in admin views. Publicly available exploit code exists. EPSS data not provided, but the CVSS 7.2 (High) with scope change reflects the privilege escalation from unauthenticated user to admin-context execution. Patch released in version 2.8.12 per WordPress plugin repository changeset 3502206.

PHP WordPress XSS
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can modify form action metadata on WordPress posts through the Royal Addons for Elementor plugin (versions up to 1.7.1056) due to a missing capability check on the wpr_update_form_action_meta AJAX endpoint. The endpoint registers on both wp_ajax and wp_ajax_nopriv hooks, is accessible without authentication, and relies on a nonce that is publicly exposed in frontend JavaScript, allowing attackers to bypass the nonce protection and alter email, Mailchimp, and webhook settings on any post. This enables attackers to hijack form submissions, exfiltrate data via modified webhook URLs, or redirect emails to attacker-controlled addresses without any user interaction or special configuration required.

Authentication Bypass WordPress Elementor
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Server-Side Request Forgery (SSRF) in Royal Elementor Addons plugin for WordPress allows authenticated attackers with Contributor-level permissions to bypass URL validation by including 'docs.google.com/spreadsheets' in query parameters, enabling requests to arbitrary internal URLs and retrieval of sensitive data from private network services. Affects versions up to 1.7.1057. The CVSS vector indicates network-based attack with no authentication required (PR:N), contradicting the description's statement of Contributor-level requirement-affected site operators should verify actual privilege requirements with vendor advisory. No active exploitation confirmed (not in CISA KEV), but detailed source code references enable rapid POC development.

SSRF Google WordPress +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Time-based blind SQL injection in Geo Mashup WordPress plugin versions up to 1.13.19 allows authenticated attackers with subscriber-level access to extract sensitive database information via the 'geo_mashup_null_fields' parameter due to insufficient escaping and lack of prepared statement usage. The vulnerability requires valid WordPress authentication but grants high-confidence data confidentiality compromise without requiring user interaction, affecting all installations of this geolocation plugin with vulnerable versions active.

WordPress SQLi
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can approve any WordPress booking in 'waiting' status via the admin-ajax endpoint in Amelia plugin versions up to 2.1.2, due to a logical short-circuit flaw that skips token validation when the booking status matches a specific condition. An attacker can craft a direct request to the publicly-accessible endpoint to approve arbitrary bookings without authentication. This impacts all installations with pending bookings and exposes the booking workflow integrity across WordPress sites using this plugin.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in Widget Options plugin for WordPress (all versions ≤4.2.2) allows authenticated Contributor-level users to execute arbitrary PHP code on the server by bypassing input validation in the Display Logic feature. The plugin's unsafe use of eval() on user-controlled expressions, combined with insufficient authorization checks on the extended_widget_opts_block attribute, enables attackers to chain array_map with string concatenation to bypass blocklists. Version 4.2.0 included a partial patch, indicating the vulnerability remains exploitable in current versions. No CISA KEV listing or public POC identified at time of analysis, but EPSS data not provided for risk calibration.

RCE WordPress Code Injection
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can bypass authorization controls in FundPress WordPress Donation Plugin versions up to 2.0.8 to arbitrarily modify donation statuses via the donate_action_status() AJAX handler, which lacks nonce verification and capability checks despite being exposed to unauthenticated users. By enumerating sequential donation IDs and sending crafted POST requests, attackers can mark donations as completed, pending, or cancelled, potentially triggering email notifications and corrupting donation records without any user interaction or authentication.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Time-based blind SQL injection in ARMember WordPress plugin versions up to 4.0.60 allows unauthenticated remote attackers to extract sensitive database information via the 'orderby' parameter. The vulnerability stems from insufficient input sanitization in the members directory and shortcode handling classes, enabling attackers to append malicious SQL queries without authentication (CVSS 7.5, AV:N/AC:L/PR:N/UI:N). EPSS data and active exploitation status not available at time of analysis, but the lack of authentication requirements and low attack complexity make this a high-priority remediation target for WordPress sites using ARMember for membership management or content restriction.

WordPress SQLi
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting (XSS) in Gravity Forms WordPress plugin versions ≤2.10.0 allows remote unauthenticated attackers to inject malicious JavaScript that executes when administrators view form entries. The vulnerability exploits a validation bypass in nested SingleProduct fields within Repeater fields, where product name tampering is not validated. When admins access compromised entries via wp-admin, the unsanitized payload executes in their browser session. CVSS 7.2 (AV:N/AC:L/PR:N/UI:N) indicates network-accessible exploitation without authentication or user interaction during payload delivery, though the attack requires subsequent admin interaction (viewing the entry) for payload execution. No active exploitation confirmed in CISA KEV at time of analysis.

PHP WordPress XSS
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP object injection in Profile Builder Pro for WordPress allows remote attackers to execute arbitrary code by deserializing malicious objects through an unprotected AJAX endpoint. The vulnerability affects all versions through 3.14.5 and stems from unsafe deserialization of attacker-controlled POST data in the wppb_request_users_pins_action_callback() handler, which was registered for both authenticated and unauthenticated users without nonce verification. With CVSS 8.1 and AC:H complexity, exploitation requires chaining with a POP gadget chain, though EPSS data and KEV status are not available to confirm active exploitation.

PHP WordPress Deserialization
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored Cross-Site Scripting in Gravity Forms plugin for WordPress through version 2.10.0 allows unauthenticated remote attackers to inject malicious scripts via Hidden Product fields nested in Repeater fields. The vulnerability executes when WordPress administrators view submitted form entries. Attack succeeds because repeater subfields bypass validation, and the Hidden Product field's validate() method checks only quantity while ignoring the product name field, which renders unescaped in entry details. CVSS 7.2 with changed scope indicates potential cross-user impact. EPSS and KEV data not provided; exploitation requires no authentication or user interaction (AV:N/PR:N/UI:N), making this exploitable against any public-facing Gravity Forms installation accepting submissions.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in Call for Price for WooCommerce plugin versions up to 4.2.0 allows authenticated administrators to inject arbitrary JavaScript via plugin settings that executes for all users visiting affected pages. The vulnerability requires administrator-level access and is limited to WordPress multisite installations or single-site installations with the unfiltered_html capability disabled, significantly reducing real-world exposure compared to the CVSS score of 4.4 suggests.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored XSS in Gravity Forms for WordPress ≤2.10.0 allows unauthenticated remote attackers to inject malicious JavaScript through Product Option field values that execute when administrators view entry details. The flaw exploits a sanitization bypass: the plugin's state validation accepts values matching wp_kses()-cleaned legitimate options but stores the raw unsanitized input, which is then rendered without escaping in the Order Summary view (view-order-summary.php:32). EPSS data not available; no public exploit identified at time of analysis. Vendor patch status requires verification via changelog.

PHP WordPress XSS
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored Cross-Site Scripting in Gravity Forms for WordPress up to 2.10.0 enables unauthenticated attackers to inject malicious scripts through form submissions containing crafted Calculation Product field names within Repeater fields. When administrators view entry details in wp-admin, the unescaped product names execute arbitrary JavaScript in the admin context. CVSS 7.2 (AV:N/AC:L/PR:N/UI:N/S:C) indicates network-accessible exploitation without authentication, though actual impact requires admin interaction. EPSS and KEV data not provided; no public exploit code confirmed at time of analysis. Wordfence reported this vulnerability affecting the Calculation Product field validation and rendering chain.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored Cross-Site Scripting in Gravity Forms plugin for WordPress allows unauthenticated remote attackers to inject malicious JavaScript into form entries that executes when administrators view the Entries List page. The vulnerability exploits a flawed dual-hash state validation mechanism that fails to prevent sanitized-then-restored XSS payloads in Consent field hidden inputs. Gravity Forms versions up to 2.10.0 are affected. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but Wordfence threat intelligence disclosure indicates vendor awareness and patching activity.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Jeg Kit for Elementor WordPress plugin versions up to 3.1.0 allows authenticated contributors and above to inject arbitrary JavaScript via the 'sg_content_number_prefix' parameter, which executes when any user accesses the affected page. The vulnerability stems from insufficient input sanitization and output escaping in the Fun Fact widget element, affecting any WordPress site using this popular page builder addon. CVSS score of 6.4 reflects the network attack vector and broad scope, though exploitation requires valid contributor-level credentials.

WordPress XSS Elementor
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Server-Side Request Forgery in PixelYourSite Pro WordPress plugin allows unauthenticated remote attackers to force the web application to make arbitrary HTTP requests to internal or external resources through the vulnerable scan_video function. The vulnerability affects all versions up to 12.5.0.1 and features a Changed scope (CVSS S:C), enabling attackers to probe internal network infrastructure, access cloud metadata services, and potentially modify data in internal systems that trust requests from the WordPress server. The blind SSRF nature means attackers receive no direct response but can infer results through timing attacks or side-channel observation. EPSS data not available; no public exploit code identified at time of analysis.

SSRF WordPress
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Server-Side Request Forgery in the Ona WordPress theme versions up to 1.26 via the ona_activate_child_theme function allows authenticated administrators to make arbitrary web requests originating from the affected server, enabling query and modification of internal services. The vulnerability requires administrator-level privileges and high attack complexity, limiting real-world exploitation to compromised or malicious admin accounts. No public exploit code or active exploitation has been identified.

SSRF WordPress
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated privilege escalation in 'Import and export users and customers' WordPress plugin versions up to 2.0.8 allows Subscriber-level users to elevate privileges to Administrator on any subsite within a WordPress Multisite network. The vulnerability stems from an incomplete blocklist in save_extra_user_profile_fields() that restricts primary site capability meta keys (wp_capabilities) but fails to block multisite-prefixed equivalents (wp_2_capabilities, wp_3_capabilities, etc.). Exploitation requires that an administrator has previously imported a CSV with multisite-prefixed capability headers and enabled the 'Show fields in profile?' option. Patch released in changeset 3515646 per WordPress plugin repository. No EPSS or KEV data available, indicating no widespread exploitation detected at time of analysis.

Privilege Escalation WordPress PHP
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in User Verification by PickPlugins for WordPress allows remote unauthenticated attackers to log in as any user with a verified email - including administrators - by submitting the string 'true' as the OTP code. The vulnerability stems from a loose PHP comparison operator (==) in the OTP validation logic, which treats the boolean true as equal to any non-zero numeric OTP value. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents complete system compromise risk for WordPress sites running vulnerable versions (≤2.0.46). Fixed in version 2.0.47 per Wordfence advisory and WordPress plugin repository changeset 3519113.

PHP WordPress Authentication Bypass
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Missing capability check in WP Mail Gateway plugin for WordPress (versions ≤1.8) allows authenticated attackers with Subscriber-level privileges to modify SMTP settings via the wmg_save_provider_config AJAX action, enabling mail redirection. Attackers exploit this by redirecting password reset emails to attacker-controlled servers, then using intercepted credentials to escalate privileges to Administrator. CVSS 8.8 (High) reflects the severe impact despite requiring initial low-level authentication. No active exploitation confirmed via CISA KEV, but Wordfence reporting indicates discovery by security researchers and likely inclusion in their threat intelligence feeds.

Authentication Bypass WordPress Privilege Escalation
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

My Social Feeds - Social Feeds Embedder WordPress plugin up to version 1.0.4 exposes sensitive TikTok OAuth credentials via an unauthenticated AJAX endpoint due to missing authorization and nonce checks. Authenticated attackers with Subscriber-level access can retrieve stored access_token and refresh_token values belonging to administrator-connected TikTok accounts, enabling them to impersonate the site owner in TikTok API interactions. No public exploit code or active exploitation has been reported at the time of analysis, though the vulnerability is trivial to exploit once network access is established.

WordPress Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unrestricted file upload in User Registration Advanced Fields plugin for WordPress (≤1.6.20) allows remote unauthenticated attackers to upload executable files and achieve code execution on the web server when Profile Picture fields are enabled in registration forms. Wordfence has documented this critical vulnerability affecting all versions through 1.6.20, with exploitation possible against any site using the Profile Picture form field feature without authentication or user interaction required.

WordPress File Upload RCE
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Essential Blocks WordPress plugin versions up to 6.0.4 allows authenticated Contributor-level users to inject arbitrary JavaScript into the Add to Cart block via unescaped className, classHook, and blockId attributes, executing malicious scripts in pages viewed by any site visitor. The vulnerability stems from use of raw sprintf() and implode() functions without WordPress escaping functions (esc_attr) in the render_callback() function, despite the outer wrapper using proper escaping. CVSS 6.4 (medium) reflects the requirement for authenticated access; however, the stored nature and cross-site scope elevate real-world risk on multi-author WordPress sites.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Unauthenticated attackers can access and modify plugin settings in the Widgets for Social Photo Feed WordPress plugin through missing capability checks on two REST API endpoints, allowing unauthorized data access and configuration changes in all versions up to and including 1.8. The vulnerability requires only network access with no user interaction, making it trivially exploitable by remote attackers without authentication credentials.

Authentication Bypass WordPress Information Disclosure
NVD VulDB GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Authenticated attackers with Subscriber-level access can modify the profile avatar of any WordPress user, including administrators, via an Insecure Direct Object Reference in the App Builder - Create Native Android & iOS Apps On The Flight plugin versions up to 5.6.0. The `/wp-json/app-builder/v1/upload-avatar` endpoint fails to validate that the authenticated user owns the target account before processing avatar uploads, allowing privilege escalation and account compromise through arbitrary user_id parameter submission in POST requests. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Google WordPress +1
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Simple Link Directory plugin for WordPress up to version 8.9.2 allows authenticated contributors and above to inject arbitrary JavaScript through insufficiently sanitized shortcode attributes like `title_font_size`, which executes in the browsers of all users accessing affected pages. The vulnerability affects the `qcopd-directory` shortcode and requires contributor-level WordPress access to exploit, making it a moderate-to-high risk for multi-author WordPress sites without strict role management.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Maxi Blocks plugin for WordPress versions up to 2.1.9 allows authenticated attackers with Author-level access and above to inject arbitrary JavaScript via the `/wp-json/maxi-blocks/v1.0/style-card` REST API endpoint through insufficient sanitization of the `sc_styles` parameter. Injected scripts execute on every page where style card styles are loaded, including the WordPress admin panel, affecting all website visitors and administrators. The vendor released patched version 2.1.10 on 27 April 2026 with input sanitization fixes (wp_strip_all_tags applied to sc_styles parameter) and privilege escalation mitigation in the image crop functionality.

WordPress XSS
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can cancel pending rollbacks in Total Upkeep WordPress Backup Plugin by BoldGrid (versions up to 1.17.1) due to missing capability checks on the wp_ajax_cli_cancel AJAX function, allowing malicious users to prevent automatic recovery from failed WordPress updates. CVSS 5.3 (network-accessible, low complexity) reflects the integrity impact and lack of authentication requirement, though real-world impact depends on whether rollback operations are actively pending during an update failure.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Ultimate Dashboard for WordPress up to version 3.8.14 allows unauthenticated attackers to toggle plugin modules on or off by tricking site administrators into clicking a malicious link. The vulnerability stems from flawed nonce validation in the 'handle_module_actions' function, enabling attackers to modify plugin configuration without user consent. No public exploit code or active exploitation has been identified at this time.

CSRF WordPress
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery in WP Editor plugin through version 1.2.9.2 enables remote attackers to inject arbitrary PHP code into plugin and theme files. The vulnerability requires administrator interaction (clicking a malicious link) but no authentication for the attacker, allowing complete website compromise through file overwrite. EPSS data not available; no confirmed active exploitation at time of analysis. Patch available in changeset 3480577.

CSRF PHP WordPress
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Authentication bypass in the Temporary Login WordPress plugin (versions ≤1.0.0) allows remote unauthenticated attackers to authenticate as any temporary login user via a single crafted GET request. The vulnerability exploits a type juggling flaw where passing 'temp-login-token' as an array bypasses validation checks and causes WordPress to return all users with temporary login tokens, enabling complete account takeover without knowledge of valid credentials. CVSS 9.8 (Critical) with network attack vector and no prerequisites. EPSS data not available; exploitation requires the presence of active temporary login accounts created by site administrators.

Authentication Bypass WordPress
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Elementor
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Elementor Website Builder plugin for WordPress up to version 4.0.4 allows authenticated contributors to inject arbitrary JavaScript via form-encoded REST API requests to the _elementor_data meta field. The vulnerability bypasses sanitization by exploiting a json_decode() failure on non-JSON request bodies, causing unsanitized data to be stored and later output without escaping in widget rendering functions. Contributors and above can inject malicious scripts that execute for all users viewing affected pages, compromising site integrity and user sessions.

WordPress XSS Elementor
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can bypass Stripe payment gates in Otter Blocks for WordPress ≤3.1.4 by forging the 'o_stripe_data' cookie with publicly visible product IDs from checkout block HTML source, gaining unauthorized access to premium content. The plugin's 'get_customer_data' method accepts unsigned cookie data without server-side Stripe API verification for one-time purchases, enabling trivial exploitation with no authentication required. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects high confidentiality impact from accessing gated content. EPSS data unavailable; no active exploitation or POC confirmed at time of analysis, but the attack requires only basic HTTP cookie manipulation skills.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Five Star Restaurant Reservations plugin for WordPress versions up to 2.7.16 allows unauthenticated attackers to bypass payment verification through PHP type juggling in the valid_payment() function. The vulnerability exists in the rtb_stripe_pmt_succeed AJAX handler, which uses loose comparison (==) between attacker-supplied payment_id and the booking's stripe_payment_intent_id. When the intent ID is null (before Stripe intent creation), an empty payment_id parameter passes validation, enabling attackers to mark payment-pending bookings as paid without completing actual Stripe payments. This permits unauthorized order fulfillment and revenue loss for affected WordPress sites.

WordPress Authentication Bypass PHP
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The WP Meteor Website Speed Optimization Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'frontend_rewrite' function's 'WPMETEOR[N]WPMETEOR' placeholder content in all versions up to, and including, 3.4.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

The Complianz - GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to unauthorized data access in all versions up to, and including, 7.4.5 This is due to the REST API endpoint at /wp-json/complianz/v1/consent-area/{post_id}/{block_id} using __return_true as the permission_callback, allowing any unauthenticated user to access it. The cmplz_rest_consented_content() function retrieves a post by ID via get_post() and returns the consentedContent attribute of any complianz/consent-area block found in it, without checking if the post is published or if the user has permission to read it. This makes it possible for unauthenticated attackers to read the consent area block content from private, draft, or unpublished posts.

WordPress Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting (XSS) in the Woostify WordPress plugin through version 2.5.0 allows authenticated attackers with Contributor-level access and above to inject arbitrary JavaScript into pages via unsanitized href attributes in the bundled Lity.js lightbox library. The injected scripts execute in the browsers of any user visiting the compromised page, enabling account takeover, credential theft, and malware distribution. No public exploit code has been identified at the time of analysis, but the vulnerability requires only low complexity network access with authenticated credentials.

WordPress XSS
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Booking Package plugin for WordPress up to version 1.7.06 allows unauthenticated attackers to manipulate booking prices via the intentForStripe() function, which accepts unsanitized $_POST['amount'] values and passes them directly to the Stripe PaymentIntent API without validation. The vulnerability is compounded by commented-out code in CreditCard.php that would normally enforce server-calculated pricing, enabling attackers to complete bookings at arbitrary prices (e.g., $0.01 instead of $500.00) with no authentication required. This is a confirmed price manipulation vulnerability with no active KEV exploitation reported but represents significant financial fraud risk.

PHP WordPress RCE
NVD
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Stored XSS vulnerability in Check & Log Email WordPress plugin before version 2.0.13 allows authenticated users with low privileges to inject malicious scripts via improper email replacement handling when the email encoder setting is enabled. The vulnerability requires user interaction (UI:R) to execute, affecting confidentiality and integrity with cross-site scope. Publicly available exploit code exists but exploitation probability remains low (EPSS 0.05%, percentile 17%), indicating this is not a widely targeted vulnerability despite public awareness.

WordPress XSS
NVD WPScan
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in WPC Smart Messages for WooCommerce plugin through version 4.2.8 allows authenticated attackers with contributor-level access to inject arbitrary JavaScript via the 'text' attribute of the wpcsm_text_rotator shortcode, resulting in execution whenever users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping. No active exploitation confirmed; patch available in version 4.2.9.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Social Post Embed plugin for WordPress up to version 2.0.1 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into page content via the Threads embed handler due to insufficient input sanitization and output escaping. Injected scripts execute when any user views the affected page, enabling session hijacking, credential theft, or malware distribution from trusted WordPress sites. No public exploit code or active exploitation has been identified at the time of analysis.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Timeline Blocks for Gutenberg WordPress plugin through version 1.1.10 allows authenticated contributors and above to inject arbitrary JavaScript via the 'titleTag' attribute of the timeline-blocks/tb-timeline-blocks block, executing malicious scripts whenever any user views the affected page. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied block attributes. Exploitation requires WordPress contributor-level access or higher and affects all versions up to 1.1.10.

WordPress XSS
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.

WordPress Privilege Escalation Latepoint Calendar Booking Plugin For Appointments And Events
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated attackers with Subscriber-level privileges can escalate to Administrator role in Highland Software Custom Role Manager for WordPress via profile update exploitation. The hscrm_save_user_roles() function lacks capability checks on the personal_options_update hook, allowing low-privilege users to modify arbitrary user roles including their own. Version 1.0.1 released with authorization fixes. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. EPSS data not provided, no CISA KEV listing identified, indicating limited widespread exploitation despite the severity of self-service privilege escalation to site administrator.

WordPress Privilege Escalation
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Liaison Site Prober plugin for WordPress allows unauthenticated attackers to retrieve sensitive audit log data including IP addresses, user IDs, usernames, and login events through an improperly secured REST API endpoint (/wp-json/site-prober/v1/logs) in all versions up to 1.2.1. The vulnerability stems from a permission callback that unconditionally returns true without validating user capabilities, enabling information disclosure with network-level access and no authentication required. No public exploit code or active exploitation has been identified at time of analysis.

Information Disclosure WordPress Authentication Bypass
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in ITERAS WordPress plugin version 1.8.2 and earlier allows authenticated attackers with Contributor-level privileges to inject arbitrary JavaScript code via shortcode attributes (iteras-ordering, iteras-signup, iteras-paywall-login, iteras-selfservice) due to insufficient input sanitization in the combine_attributes() function. When a user accesses a page containing the malicious shortcode, the injected script executes in their browser context, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at time of analysis.

WordPress XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Taqnix WordPress plugin versions up to 1.0.3 allows unauthenticated attackers to trick logged-in users into deleting their own accounts via a forged request. The vulnerability stems from a commented-out nonce verification check in the taqnix_delete_my_account() function, making account deletion unprotected against CSRF attacks. No public exploit code or active exploitation has been identified, though the attack requires user interaction (clicking a malicious link or visiting a compromised page).

WordPress CSRF
NVD VulDB
Prev Page 15 of 194 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy