Skip to main content

WordPress

17381 CVEs vendor

Monthly

CVE-2026-5234 MEDIUM This Month

LatePoint WordPress plugin versions up to 5.3.2 expose a public, unauthenticated endpoint (OsStripeConnectController::create_payment_intent_for_transaction) that allows sequential enumeration of invoice IDs and unauthorized creation of transaction intent records containing sensitive financial data, customer identifiers, and Stripe payment secrets. Unauthenticated remote attackers can exploit this Insecure Direct Object Reference (IDOR) vulnerability to leak confidential payment information and Stripe Connect tokens without authentication or user interaction. No active exploitation has been confirmed at the time of analysis.

Authentication Bypass Oracle WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-6080 MEDIUM This Month

SQL injection in Tutor LMS plugin for WordPress through version 3.9.8 allows authenticated Admin-level attackers to extract sensitive database information by injecting malicious SQL via the 'date' parameter, which is insufficiently escaped before being interpolated into a SQL fragment passed to $wpdb->prepare(). The vulnerability requires Admin authentication and does not permit data modification or denial of service. CVSS 6.5 reflects confidentiality impact; exploitation is limited to high-privilege authenticated users.

WordPress SQLi
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3330 MEDIUM This Month

SQL injection in Form Maker by 10Web WordPress plugin (versions ≤1.15.40) allows authenticated administrators to extract sensitive database information via unsanitized parameters (ip_search, startdate, enddate, username_search, useremail_search) in the Submissions display function. The vulnerability stems from the validate_data() method stripping WordPress's magic quotes protection and get_labels_parameters() concatenating user input directly into SQL queries without prepared statements. A CSRF vector exists because the vulnerable display task lacks nonce verification, enabling attackers to trick administrators into triggering the injection via a crafted link. Exploitation requires Administrator-level privileges but can be chained with CSRF for unauthorized triggering.

WordPress SQLi CSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-4853 MEDIUM This Month

JetBackup plugin for WordPress versions up to 3.1.19.8 allows authenticated administrators to delete arbitrary directories via path traversal in the file upload handler. The vulnerability stems from insufficient input validation on the fileName parameter, which is sanitized using sanitize_text_field() but still permits path traversal sequences like '../'. When combined with the recursive directory deletion logic in the cleanup routine, attackers can traverse outside the intended upload directory and delete critical WordPress directories such as wp-content/plugins, completely disabling all plugins and severely disrupting the WordPress installation.

File Upload Path Traversal WordPress
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-4666 MEDIUM This Month

wpForo Forum plugin for WordPress allows authenticated Subscriber-level attackers to modify arbitrary forum posts via variable extraction abuse and weak nonce validation. Attackers exploit the `extract($args, EXTR_OVERWRITE)` function in the `edit()` method to bypass permission checks, enabling unauthorized modification of post titles, bodies, names, and emails across all forum visibility levels including private forums and admin/moderator posts. A hardcoded nonce shared across all forum templates allows any user viewing any forum page to obtain a valid nonce, making exploitation trivial for authenticated users.

PHP Authentication Bypass WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3488 MEDIUM This Month

WP Statistics plugin for WordPress versions up to 14.16.4 fail to enforce capability checks on multiple AJAX endpoints, allowing authenticated Subscriber-level users to access sensitive analytics data, retrieve and modify privacy audit status, and dismiss administrative notices. The vulnerability stems from reliance on nonce verification alone without role-based access control, affecting all installations with the plugin active and at least one authenticated user account. No public exploit code or active exploitation has been confirmed at time of analysis.

Authentication Bypass WordPress
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5231 HIGH This Week

Stored Cross-Site Scripting in WP Statistics plugin (≤14.16.4) allows unauthenticated attackers to inject malicious JavaScript into admin dashboard analytics pages. The vulnerability stems from unsafe handling of utm_source URL parameters that persist into database-backed charts, executing when administrators view Referrals Overview or Social Media pages. With CVSS 7.2 and network vector requiring no authentication, this represents elevated risk for WordPress sites using this analytics plugin, though no active exploitation confirmed at time of analysis.

XSS WordPress
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-4817 MEDIUM This Month

Time-based blind SQL injection in MasterStudy LMS WordPress plugin up to version 3.7.25 allows authenticated subscribers and above to extract sensitive database information including user credentials and session tokens via unquoted ORDER BY clause injection in the /lms/stm-lms/order/items REST API endpoint. The vulnerability stems from a custom Query builder that concatenates user-supplied sort parameters containing parentheses directly into SQL ORDER BY clauses without proper quoting, bypassing the plugin's use of esc_sql(). CVSS score of 6.5 reflects network-accessible exploitation requiring low privilege (subscriber-level) authentication and no user interaction.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-5162 MEDIUM This Month

Stored Cross-Site Scripting in Royal Addons for Elementor plugin versions up to 1.7.1056 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the Instagram Feed widget's 'instagram_follow_text' setting, executing malicious scripts whenever users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the widget configuration handler. CVSS 6.4 reflects the moderate severity (network-accessible, no user interaction required from victims, but limited scope to stored XSS with low confidentiality and integrity impact). No public exploit code or active exploitation has been confirmed at time of analysis.

XSS WordPress Elementor
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-40308 PHP HIGH POC PATCH GHSA This Week

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.

PHP Authentication Bypass WordPress Denial Of Service
NVD GitHub
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-2840 MEDIUM This Month

The Email Encoder - Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4160 MEDIUM This Month

The Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to "failed").

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3155 LOW Monitor

The OneSignal - Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete OneSignal metadata for arbitrary posts.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-3369 MEDIUM This Month

The Better Find and Replace - AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-3489 HIGH This Week

The DirectoryPress - Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, and including, 3.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-0718 MEDIUM This Month

Unauthenticated attackers can modify post share count metadata in Post Grid Gutenberg Blocks for News, Magazines, Blog Websites - PostX (PostX) plugin versions up to 5.0.5 due to a missing capability check in the ultp_shareCount_callback() function. This allows unauthorized modification of share_count post meta for any post including private and draft posts, affecting all WordPress installations running the vulnerable plugin. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14868 HIGH This Week

Cross-Site Request Forgery (CSRF) in Career Section WordPress plugin versions ≤1.6 enables unauthenticated attackers to delete arbitrary server files through social engineering. Attackers trick authenticated WordPress administrators into clicking malicious links that exploit missing nonce validation in the delete action handler, leading to path traversal and unrestricted file deletion. CVSS 8.8 (High) with network attack vector but requires user interaction (UI:R). EPSS and KEV data not provided; public exploit code status unknown. Wordfence advisory and upstream patch commit available.

Path Traversal WordPress CSRF
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3876 HIGH This Week

Stored Cross-Site Scripting in Prismatic WordPress plugin (all versions ≤3.7.3) allows unauthenticated remote attackers to inject malicious scripts via crafted comment submissions containing the 'prismatic_encoded' pseudo-shortcode. Vulnerable code in prismatic_decode function fails to sanitize user-supplied attributes. CVSS 7.2 with scope change (S:C) elevates impact beyond vulnerable component. EPSS data not available; no CISA KEV listing identified. Wordfence threat intelligence confirms vulnerability; patch released in version 3.7.4 per WordPress plugin repository changelog.

XSS WordPress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-3355 MEDIUM This Month

Reflected Cross-Site Scripting in Customer Reviews for WooCommerce plugin allows unauthenticated attackers to inject arbitrary JavaScript via the unescaped 'crsearch' parameter, affecting all versions up to 5.101.0. Exploitation requires social engineering (victim must click a malicious link), but successful attacks can steal session cookies, perform actions as the logged-in user, or redirect to phishing sites. No public exploit code or active exploitation has been identified, though the vulnerability is trivially reproducible given the simple parameter manipulation required.

XSS WordPress
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-13364 MEDIUM This Month

Stored XSS in WP Maps plugin for WordPress allows authenticated contributors to inject malicious scripts via the 'put_wpgm' shortcode due to insufficient input sanitization and output escaping. Attackers with contributor-level access and above can craft malicious shortcode attributes that persist in page content and execute for all subsequent visitors. All versions up to 4.8.7 are affected; patched version 4.8.8 is available.

XSS WordPress Google
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3875 MEDIUM This Month

Stored Cross-Site Scripting in BetterDocs WordPress plugin versions up to 4.3.8 allows authenticated attackers with contributor-level access to inject arbitrary JavaScript into pages via the 'betterdocs_feedback_form' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users who view affected pages, enabling account compromise, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at this time.

XSS WordPress Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3995 MEDIUM PATCH This Month

Stored cross-site scripting in OPEN-BRAIN WordPress plugin versions up to 0.5.0 allows authenticated administrators to inject malicious scripts via the API Key settings field, which are executed when any user accesses the plugin settings page. The vulnerability stems from improper use of sanitize_text_field() (which does not prevent attribute breakout) combined with missing esc_attr() escaping when outputting the API key to an HTML input value attribute. While exploitation requires administrator-level access, the stored nature means scripts persist and affect all subsequent user interactions with the settings page.

XSS WordPress
NVD GitHub VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1572 MEDIUM This Month

Livemesh Addons for Elementor plugin versions up to 9.0 allow authenticated attackers with Subscriber-level access to inject arbitrary JavaScript via the plugin settings page through missing authorization checks on the AJAX handler lae_admin_ajax() and insufficient output escaping on checkbox fields. The injected scripts execute whenever an administrator accesses the settings page if the attacker obtains a valid nonce, which can be leaked due to improper access control on settings pages. This combination of authorization bypass and stored XSS affects all WordPress installations running the vulnerable plugin.

XSS WordPress Elementor
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1620 HIGH This Week

Local file inclusion in Livemesh Addons for Elementor (WordPress plugin) ≤9.0 allows authenticated attackers with Contributor-level privileges to include and execute arbitrary PHP files via recursive directory traversal bypass in widget template parameters. The vulnerability requires Elementor plugin installation and either admin interaction (social engineering) or direct Contributor access. CVSS 8.8 reflects high impact (RCE potential) but limited by authentication requirement. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists (Wordfence disclosure with technical details and code references).

PHP LFI WordPress Path Traversal Elementor
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3581 MEDIUM This Month

Unauthenticated attackers can modify stored map latitude and longitude options in the Basic Google Maps Placemarks WordPress plugin through version 1.10.7 due to missing authorization checks on administrative functions. The vulnerability allows remote, unauthenticated modification of critical map configuration without requiring user interaction, affecting any WordPress site running the vulnerable plugin with default settings. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass WordPress Google
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3773 MEDIUM This Month

SQL injection in Accessibility Suite by Ability, Inc WordPress plugin (versions up to 4.20) allows authenticated attackers with Subscriber-level access to extract sensitive database information via an unescaped 'scan_id' parameter. The vulnerability is unauthenticated remote network-accessible but requires low-privilege login credentials; no public exploit code or active exploitation has been identified at the time of analysis.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-3614 HIGH This Week

Privilege escalation in AcyMailing WordPress plugin (versions 9.11.0-10.8.1) allows authenticated Subscriber-level users to gain administrator access through a multi-stage attack chain. Attackers exploit a missing capability check in the wp_ajax_acymailing_router AJAX handler to access admin-only configuration controllers, enable autologin features, inject malicious cms_id values into newsletter subscribers, and authenticate as any WordPress user including administrators. EPSS data not available; no confirmed active exploitation (CISA KEV absent), but the low attack complexity (AC:L) and detailed public code references increase exploitation risk for installations with subscriber registration enabled.

Authentication Bypass WordPress Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3599 HIGH This Week

SQL injection in Riaxe Product Customizer for WordPress (all versions ≤2.1.2) allows unauthenticated remote attackers to extract sensitive database contents via crafted REST API requests. The vulnerability exists in the /wp-json/InkXEProductDesignerLite/add-item-to-cart endpoint where the 'options' parameter keys within 'product_data' lack proper SQL escaping. CVSS 7.5 (High) with attack vector network/low complexity/no authentication required. Wordfence discovery indicates active researcher attention. No CISA KEV listing or public exploit code identified at time of analysis, but EPSS data unavailable for risk calibration.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-5050 HIGH This Week

Signature validation bypass in Redsys payment gateway plugin (WooCommerce) allows remote attackers to mark unpaid orders as completed without actual payment. Unauthenticated attackers who obtain a valid order key and amount can forge payment callbacks across Redsys, Bizum, and Google Pay flows, enabling fraudulent order fulfillment. Affects versions ≤7.0.0 of 'Payment Gateway for Redsys & WooCommerce Lite' WordPress plugin. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation, though EPSS data unavailable. No CISA KEV listing or public POC identified at time of analysis. Vendor patch released in changeset 3501998.

Information Disclosure Jwt Attack WordPress Google
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-3551 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in Custom New User Notification plugin for WordPress versions up to 1.2.0 allows authenticated administrators to inject arbitrary JavaScript into plugin settings pages via unescaped admin form fields (User Mail Subject, User From Name, User From Email, Admin Mail Subject, Admin From Name, Admin From Email). When any user accesses the plugin settings page, the injected scripts execute in their browser context, enabling privilege escalation in WordPress multisite environments where subsite administrators target super administrators. No public exploit code or active exploitation has been identified; the attack requires Administrator-level credentials, limiting real-world risk despite moderate CVSS score.

XSS WordPress
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-3595 MEDIUM This Month

Riaxe Product Customizer plugin for WordPress versions up to 2.1.2 allows unauthenticated attackers to delete arbitrary user accounts via a REST API endpoint lacking permission checks. The POST /wp-json/InkXEProductDesignerLite/customer/delete_customer route accepts a list of user IDs and directly deletes them without authentication or authorization validation, enabling attackers to remove administrator accounts and cause complete site lockout. This is confirmed by Wordfence and affects all installations running the vulnerable plugin version.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-3596 CRITICAL Act Now

Unauthenticated remote attackers can escalate to administrator privileges on WordPress sites running Riaxe Product Customizer plugin ≤2.1.2. The plugin exposes an AJAX endpoint ('install-imprint') without authentication checks that allows arbitrary WordPress option manipulation, enabling attackers to create administrator accounts by modifying registration settings. CVSS 9.8 (Critical) reflects the complete site compromise potential. EPSS data not provided but exploitation requires only HTTP access to any vulnerable WordPress installation with this plugin active-no special conditions beyond plugin presence.

Authentication Bypass WordPress Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-5070 MEDIUM This Month

Stored cross-site scripting in the Vantage WordPress theme up to version 1.20.32 allows authenticated contributors and higher-privileged users to inject malicious scripts into gallery block text content that execute for all site visitors. The vulnerability stems from insufficient output escaping in the gallery template, enabling attackers with contributor-level access to compromise page integrity and potentially steal session tokens or deface content.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3878 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in WP Docs plugin for WordPress (all versions through 2.2.9) allows authenticated attackers with subscriber-level access to inject malicious scripts via the 'wpdocs_options[icon_size]' parameter due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user accessing the affected page, enabling session hijacking, credential theft, or malware distribution with no user interaction required beyond normal site browsing. No public exploit code has been identified, but the vulnerability is technically straightforward to exploit given valid subscriber credentials.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4032 MEDIUM PATCH This Month

Stored Cross-Site Scripting (XSS) in CodeColorer plugin for WordPress versions up to 0.10.1 allows unauthenticated attackers to inject malicious JavaScript via the 'class' parameter in the 'cc' comment shortcode, which executes in the browsers of users viewing the affected page. Exploitation requires comments to be enabled and guest comments permitted on the target post. The vulnerability has a CVSS score of 6.1 with low complexity and no authentication required, but user interaction (visiting the affected page) is necessary for the payload to execute.

XSS WordPress
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-3885 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in WP Shortcodes Plugin - Shortcodes Ultimate through version 7.4.9 allows authenticated contributors and above to inject arbitrary JavaScript into WordPress pages via the 'su_box' shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of all users who access the affected pages, potentially compromising site visitors' sessions and data. No public exploit code has been identified at the time of analysis, though the vulnerability is straightforward to reproduce and weaponize.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3299 MEDIUM This Month

Stored Cross-Site Scripting in WP YouTube Lyte plugin for WordPress versions up to 1.7.29 allows authenticated contributors and above to inject arbitrary JavaScript via the 'lyte' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users viewing affected pages. No public exploit code or active exploitation has been confirmed at time of analysis; patch is available in version 1.7.30 and later.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4880 CRITICAL Act Now

Privilege escalation to WordPress administrator via insecure token-based authentication in Barcode Scanner (+Mobile App) plugin versions ≤1.11.0 allows remote unauthenticated attackers to gain full administrative control. The plugin leaks valid admin authentication tokens through the 'barcodeScannerConfigs' action and accepts Base64-encoded user IDs without validation, enabling attackers to spoof admin credentials, extract legitimate tokens, and modify any user's 'wp_capabilities' meta to grant themselves administrator privileges. CVSS 9.8 (Critical) with network vector, low complexity, and no authentication required. Vendor patch deployed in changeset 3506824.

Privilege Escalation WordPress
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-4949 MEDIUM This Month

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content - ProfilePress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.16.12. This is due to the 'process_checkout' function not properly enforcing the plan active status check when a 'change_plan_sub_id' parameter is provided. This makes it possible for authenticated attackers, with Subscriber-level access and above, to subscribe to inactive membership plans by supplying an arbitrary 'change_plan_sub_id' value in the checkout request.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6370 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HashThemes Mini Ajax Cart for WooCommerce allows Stored XSS.This issue affects Mini Ajax Cart for WooCommerce: from n/a through 1.3.4.

WordPress XSS
NVD VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-1852 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Product Pricing Table by WooBeWoo plugin for WordPress allows unauthenticated attackers to inject arbitrary web scripts or delete pricing tables by tricking site administrators into clicking a malicious link, exploiting missing nonce validation in the updateLabel() and remove() functions across all versions up to and including 1.1.0. No public exploit code identified at time of analysis, but the vulnerability requires only user interaction (UI:R) and has a network attack vector, making it moderately exploitable in real-world scenarios.

WordPress CSRF
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-3643 HIGH This Week

Stored XSS in Accessibly WordPress plugin (≤3.0.3) allows unauthenticated attackers to inject malicious JavaScript executed by all site visitors via unprotected REST API endpoints. Two endpoints (/otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config) lack authentication checks (permission_callback set to __return_true), enabling attackers to modify the widgetSrc option with a URL pointing to attacker-controlled scripts. The malicious URL is stored unsanitized in WordPress options and

PHP WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-4011 MEDIUM This Month

Stored cross-site scripting in Power Charts Lite WordPress plugin versions up to 0.1.0 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'id' parameter of the [pc] shortcode. The vulnerability exists because the plugin extracts user-supplied shortcode attributes, directly concatenates them into HTML class attributes without sanitization, and then decodes HTML entities, creating a persistent XSS payload that executes for all users viewing the affected page. No active exploitation has been confirmed, but the attack requires only standard WordPress contributor permissions and no additional complexity.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3998 MEDIUM This Month

Stored cross-site scripting in WM JqMath WordPress plugin up to version 1.3 allows authenticated contributors and above to inject arbitrary JavaScript via the 'style' shortcode attribute, which executes in the browsers of all users viewing affected pages. The vulnerability stems from direct concatenation of unsanitized user input into HTML without proper escaping (missing esc_attr() calls). CVSS 6.4 reflects moderate risk with scope change; no public exploit code or active KEV status identified at time of analysis.

WordPress XSS
NVD GitHub
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1782 MEDIUM This Month

Remote attackers can manipulate payment amounts in Stripe and PayPal transactions through the MetForm Pro WordPress plugin by submitting arbitrary values in the 'mf-calculation' field, bypassing price validation. Versions up to 3.9.7 are affected; the plugin fails to recompute or validate user-submitted calculation fields against configured form prices, allowing unauthenticated attackers to reduce or alter payment amounts on vulnerable forms. No active exploitation has been publicly confirmed, though the attack requires minimal complexity and produces direct financial impact.

Information Disclosure WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3649 MEDIUM This Month

Unauthenticated attackers can retrieve sensitive PDF metadata and configuration values through a missing authorization flaw in the Katalogportal PDF Sync WordPress plugin (versions up to 1.0.0). The katalogportal_popup_shortcode() AJAX handler lacks capability checks and nonce verification, allowing any user to enumerate all synchronized PDF attachments-including those from private or draft posts-along with filenames and the katalogportal_userid configuration. This information disclosure has a CVSS score of 5.3 (low-to-medium severity) but enables reconnaissance for further attacks against WordPress installations.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4091 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in OPEN-BRAIN plugin for WordPress versions up to 0.5.0 allows unauthenticated attackers to inject malicious web scripts by tricking site administrators into clicking a malicious link, due to missing nonce verification in the func_page_main() settings form handler. With a CVSS score of 6.1 and network-level attack surface requiring only user interaction, this vulnerability affects any WordPress installation using the affected plugin. No public exploit code or active exploitation has been confirmed at time of analysis.

WordPress CSRF
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-3461 CRITICAL Act Now

Authentication bypass in Visa Acceptance Solutions WordPress plugin (all versions through 2.1.0) allows unauthenticated remote attackers to gain complete account takeover by providing any user's email address during guest checkout. The vulnerability enables login as any existing user, including administrators, without password verification or email ownership validation. With a CVSS score of 9.8 (critical) and attack complexity of Low, this represents an immediate exploitation risk requiring no user interaction or privileges, though no public exploit or active exploitation (KEV) has been identified at time of analysis.

Authentication Bypass WordPress
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-3642 MEDIUM This Month

Authenticated users with Subscriber-level access or above can modify WordPress form field configurations in the e-shot form builder plugin (versions up to 1.0.2) due to missing authorization checks in the eshot_form_builder_update_field_data AJAX handler. The function lacks both capability checks and nonce verification, allowing attackers to manipulate form field properties such as mandatory status, visibility, and display preferences without proper permission validation. No public exploit code or active exploitation has been confirmed at this time.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4005 MEDIUM This Month

Stored cross-site scripting in Coachific Shortcode plugin for WordPress versions up to 1.0 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into pages via the 'userhash' shortcode attribute. The plugin sanitizes input with sanitize_text_field() but fails to apply JavaScript-specific escaping before interpolating the value into a script tag, enabling persistent XSS attacks visible to all page visitors. EPSS score of 6.4 reflects moderate real-world risk constrained by the requirement for authenticated contributor access and user interaction.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4002 MEDIUM This Month

Cross-site request forgery in Petje.af WordPress plugin versions up to 2.1.8 allows unauthenticated attackers to force authenticated users into destructive actions-including revoking OAuth2 tokens, deleting user metadata, and permanently removing WordPress user accounts with the 'petjeaf_member' role-by crafting malicious requests that bypass nonce validation in the ajax_revoke_token() AJAX handler. The vulnerability requires user interaction (victim must click a link or visit a malicious site) but carries moderate integrity impact due to the ability to delete user accounts.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-3659 MEDIUM This Month

Stored Cross-Site Scripting in WP Circliful plugin for WordPress up to version 1.2 allows authenticated attackers with Contributor-level access to inject arbitrary HTML and JavaScript via insufficiently sanitized shortcode attributes in [circliful] and [circliful_direct] shortcodes. The vulnerability exists in the circliful_shortcode() and circliful_direct_shortcode() functions, which concatenate user input directly into HTML attributes without escaping. When a user visits a page containing the injected shortcode, the malicious script executes in their browser. No public exploit code or active exploitation in the wild has been confirmed at time of analysis.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-5694 HIGH This Week

Stored Cross-Site Scripting in Quick Interest Slider plugin for WordPress (versions ≤3.1.5) allows unauthenticated remote attackers to inject malicious scripts via unsanitized 'loan-amount' and 'loan-period' parameters. Injected scripts execute in victim browsers when accessing compromised pages, enabling session hijacking, credential theft, or malicious redirects. CVSS 7.2 with network-accessible, low-complexity attack vector (AV:N/AC:L/PR:N) and scope change (S:C) indicates significant cross-tenant impact. No public exploit identified at time of analysis, though exploitation requires minimal technical sophistication due to unauthenticated attack surface.

WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-5617 HIGH This Week

Privilege escalation in Login as User WordPress plugin (all versions ≤1.0.3) allows authenticated subscribers to become administrators by manipulating a client-side cookie. Attackers with Subscriber-level access can set the 'oclaup_original_admin' cookie to an admin user ID and trigger the 'Return to Admin' function, granting full admin privileges. CVSS 8.8 (High) with network vector, low complexity, and low privileges required. No public exploit identified at time of analysis, EPSS data not available. Wordfence reported vulnerability with direct source code references to vulnerable functions in class-login-handler.php.

Authentication Bypass Privilege Escalation WordPress
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5717 MEDIUM This Month

Stored Cross-Site Scripting in VI: Include Post By WordPress plugin up to version 0.4.200706 allows authenticated contributors and above to inject arbitrary JavaScript via the 'class_container' shortcode attribute, which executes in the browsers of any user viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode parameters. No public exploit code or active exploitation has been reported; however, the low attack complexity and broad scope of impact (affecting all site visitors) make this a moderate-priority issue for WordPress installations using this plugin.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6293 MEDIUM This Month

Cross-site request forgery leading to stored cross-site scripting in Inquiry Form to Posts or Pages plugin version 1.0 for WordPress allows unauthenticated attackers to inject arbitrary scripts into administrator settings. The vulnerability stems from missing nonce validation on the settings update handler combined with insufficient input sanitization and output escaping, enabling an attacker to craft a malicious request that, when visited by a logged-in administrator, stores persistent XSS payloads. With a CVSS score of 4.3 and no evidence of public exploitation, this represents a moderate-severity threat requiring administrator interaction.

WordPress CSRF XSS
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2396 MEDIUM This Month

The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

WordPress Google XSS
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1314 MEDIUM POC This Month

The 3D FlipBook - PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the send_post_pages_json() function in all versions up to, and including, 1.16.17. This makes it possible for unauthenticated attackers to retrieve flipbook page metadata for draft, private and password-protected flipbooks.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-15470 MEDIUM This Month

The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akd_required_plugin_callback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary directories on the server, including the WordPress root directory.

WordPress Path Traversal
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1555 CRITICAL Act Now

Unrestricted file upload in WebStack WordPress theme allows unauthenticated remote code execution. The io_img_upload() function in all versions through 1.2024 lacks file type validation, enabling unauthenticated attackers to upload malicious files (e.g., PHP shells) directly to the server. No public exploit identified at time of analysis, but EPSS score and attack complexity (CVSS AC:L) indicate straightforward exploitation. Critical severity (CVSS 9.8) warranted due to complete system compromise potential with zero authentication barriers.

WordPress RCE File Upload
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-1509 MEDIUM This Month

Arbitrary WordPress action execution in Avada (Fusion) Builder plugin versions up to 3.15.1 allows authenticated attackers with Subscriber-level access to invoke unvalidated WordPress action hooks via the Dynamic Data feature, potentially enabling privilege escalation, file inclusion, denial of service, or remote code execution depending on available hooks in the WordPress installation. The vulnerability stems from the `output_action_hook()` function accepting user-controlled input without authorization checks. No public exploit code or active exploitation has been confirmed at time of analysis.

Denial Of Service RCE WordPress Privilege Escalation Code Injection
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1541 MEDIUM This Month

Avada (Fusion) Builder plugin for WordPress up to version 3.15.1 allows authenticated Subscriber-level users and above to access protected post metadata through the Dynamic Data feature's `post_custom_field` parameter due to insufficient validation of underscore-prefixed metadata keys. The `fusion_get_post_custom_field()` function fails to enforce metadata access controls, enabling disclosure of sensitive metadata that should be restricted. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass WordPress Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4812 MEDIUM This Month

Unauthenticated attackers can bypass field-level authorization in Advanced Custom Fields (ACF) plugin versions up to 6.7.0 via AJAX endpoints that process user-supplied filter parameters without proper privilege checks, enabling disclosure of draft, private, and restricted post/page content that should be hidden by field configuration. The vulnerability affects any WordPress site with ACF installed and frontend forms exposed, requiring only network access and no user interaction. CVSS 5.3 reflects confidentiality impact with low attack complexity; no KEV status or public POC confirmed at analysis time.

Authentication Bypass WordPress Advanced Custom Fields
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2834 HIGH This Week

Stored Cross-Site Scripting in Token of Trust WordPress plugin versions ≤3.32.3 allows unauthenticated remote attackers to inject malicious scripts via the unsanitized 'description' parameter, achieving persistent code execution in victim browsers with changed security context (CVSS scope changed). CVSS 7.2 with network attack vector and no authentication required. No public exploit identified at time of analysis, but EPSS data not provided to assess exploitation probability.

WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-15565 MEDIUM This Month

Unauthenticated attackers can bypass authorization checks in the Nexi XPay plugin for WordPress (versions up to 8.3.0) to mark pending WooCommerce orders as paid or completed by exploiting a missing authorization check on the redirect function. This allows payment fraud by converting unpaid orders into completed transactions without authentication. No public exploit code or active exploitation has been reported at time of analysis.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4109 MEDIUM This Month

Eventin - Events Calendar, Event Booking, Ticket & Registration plugin for WordPress fails to properly validate user capabilities in the get_item_permissions_check() function, allowing authenticated Subscriber-level users to enumerate and read arbitrary order data including customer names, emails, and phone numbers through order ID iteration. Affected versions include all releases up to and including 4.1.8. This is a low-complexity, network-accessible vulnerability (CVSS 4.3) that requires only basic authentication, making it exploitable by any user with a WordPress account on an affected site.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2582 MEDIUM This Month

Unauthenticated attackers can execute arbitrary WordPress shortcodes in the Germanized for WooCommerce plugin (all versions up to 3.20.5) via the 'account_holder' parameter, which bypasses shortcode validation in the do_shortcode() function. This enables remote code execution with medium severity (CVSS 6.5) affecting any WordPress site with the vulnerable plugin installed. No public exploit code or active exploitation has been confirmed at the time of analysis.

Code Injection RCE WordPress
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-3017 HIGH This Week

PHP object injection in Smart Post Show WordPress plugin versions ≤3.0.12 allows administrators to deserialize untrusted input via the import_shortcodes() function. While no POP chain exists in the plugin itself (making direct exploitation impossible), the vulnerability becomes critical if paired with another plugin/theme containing exploitable gadget chains, potentially enabling file deletion, data exfiltration, or remote code execution. CVSS 7.2 (High) reflects theoretical maximum impact. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE identifier.

PHP WordPress Information Disclosure Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-4059 MEDIUM This Month

Stored Cross-Site Scripting in ShopLentor WordPress plugin (versions up to 3.3.5) via the woolentor_quickview_button shortcode's button_text attribute allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript that executes for all site visitors. The vulnerability stems from insufficient input sanitization and missing output escaping on user-supplied shortcode attributes. With a CVSS score of 6.4 and confirmed patch availability in version 3.3.6, this poses a moderate risk to WordPress installations using the plugin, particularly those with multiple contributor-level users.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4479 MEDIUM This Month

Stored Cross-Site Scripting in WholeSale Products Dynamic Pricing Management WooCommerce plugin allows authenticated administrators to inject arbitrary web scripts via admin settings that execute for all users on affected pages. The vulnerability affects all versions up to and including 1.2 on multi-site WordPress installations or single-site installations with unfiltered_html disabled. While the CVSS score of 4.4 is moderate, exploitation requires high-privilege administrator credentials and the attack is limited by high attack complexity; however, the persistent nature of stored XSS means injected payloads affect all subsequent site visitors.

XSS WordPress
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1607 MEDIUM This Month

Stored cross-site scripting in the Surbma | Booking.com Shortcode WordPress plugin (all versions up to 2.1) allows authenticated contributors and above to inject malicious scripts into pages via insufficient input sanitization on the `surbma-bookingcom` shortcode attributes, causing arbitrary JavaScript execution for all site visitors accessing the compromised page. The vulnerability has a CVSS score of 6.4 with network-based attack vector and low complexity, requiring only contributor-level privileges to exploit. No public exploit code or active exploitation has been independently confirmed at the time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4388 HIGH This Week

Stored Cross-Site Scripting in Form Maker by 10Web WordPress plugin (versions ≤1.15.40) allows unauthenticated attackers to inject malicious JavaScript through Matrix field submissions that executes when administrators view submission details. The vulnerability stems from inadequate sanitization (sanitize_text_field removes tags but preserves quotes) and missing output escaping in the admin Submissions view. With CVSS 7.2 (High) and network-based attack vector requiring no privileges or user int

XSS WordPress
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-6227 HIGH This Week

Local file inclusion in BackWPup WordPress plugin versions ≤5.6.6 allows authenticated administrators to read sensitive configuration files or achieve remote code execution via path traversal bypass in the `/wp-json/backwpup/v1/getblock` REST endpoint. The vulnerability stems from insufficient sanitization using non-recursive `str_replace()`, enabling crafted sequences like `....//` to bypass filtering. While requiring high privileges (PR:H), the plugin's permission delegation feature allows administrators to grant backup management rights to lower-privileged users, expanding the attack surface. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though CVSS 7.2 reflects high confidentiality, integrity, and availability impact.

PHP Path Traversal WordPress RCE
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-4352 HIGH This Week

SQL injection in JetEngine WordPress plugin (≤3.8.6.1) via Custom Content Type REST API allows unauthenticated remote attackers to extract sensitive database information. The vulnerability stems from unsanitized search parameters in REST endpoints, bypassing WordPress's built-in SQL protections. Attack complexity is low (CVSS AC:L) with no user interaction required. EPSS and KEV data not provided; exploitation requires Custom Content Types module enabled with public REST endpoints configured.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4365 CRITICAL Act Now

Unauthenticated data deletion in LearnPress WordPress LMS plugin (versions ≤4.3.2.8) allows remote attackers to delete arbitrary quiz answer options without authentication. The plugin exposes wp_rest nonces to unauthenticated visitors in public frontend HTML and uses this nonce as the sole security gate for its AJAX dispatcher, while the delete_question_answer() function lacks both capability and ownership verification. With CVSS 9.1 (Critical) scoring and network-exploitable attack vector requi

Authentication Bypass WordPress
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-6203 MEDIUM POC This Month

The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4. This is due to insufficient validation of user-supplied URLs passed via the 'redirect_to_on_logout' GET parameter before redirecting users. The `redirect_to_on_logout` GET parameter is passed directly to WordPress's `wp_redirect()` function instead of the domain-restricted `wp_safe_redirect()`. While `esc_url_raw()` is applied to sanitize malformed URLs, it does not restrict the redirect destination to the local domain, allowing an attacker to craft a specially formed link that redirects users to potentially malicious external URLs after logout, which could be used to facilitate phishing attacks.

Open Redirect WordPress
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-3830 HIGH POC PATCH This Week

SQL injection in Product Filter for WooCommerce by WBW plugin versions below 3.1.3 allows unauthenticated remote attackers to extract sensitive database contents including user credentials, customer data, and order information. The vulnerability requires no authentication (CVSS PR:N) and has low attack complexity with publicly available exploit code. EPSS data not available, but the combination of unauthenticated access, public POC, and WordPress's large attack surface creates substantial real-world risk for unpatched WooCommerce installations.

SQLi WordPress
NVD WPScan VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2025-15441 MEDIUM POC PATCH This Month

SQL injection in Form Maker by 10Web WordPress plugin before version 1.15.38 allows unauthenticated remote attackers to read sensitive data via improper SQL query preparation when the MySQL Mapping feature is enabled. The attack requires high complexity to exploit but has high confidentiality impact, affecting all WordPress sites running the vulnerable plugin with this feature active. Public exploit code is available, though EPSS scoring (0.02%) suggests real-world exploitation remains limited despite the presence of proof-of-concept.

SQLi WordPress
NVD WPScan VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-5809 HIGH This Week

Arbitrary file deletion in wpForo Forum plugin for WordPress (≤3.0.2) allows authenticated attackers with subscriber-level access to delete critical server files including wp-config.php. A two-step logic flaw permits injection of attacker-controlled file paths via poisoned postmeta arrays (data[body][fileurl]), which are later passed unvalidated to wp_delete_file(). The vulnerability requires low-privilege authentication (PR:L) and enables denial-of-service against WordPress installations through deletion of configuration or core files. No public exploit identified at time of analysis.

WordPress PHP Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-3371 MEDIUM This Month

Insecure Direct Object Reference in Tutor LMS WordPress plugin versions up to 3.9.7 allows authenticated Subscriber-level users to manipulate course content structure across any course by exploiting missing authorization checks in the save_course_content_order() method, enabling attackers to detach lessons from topics, reorder course content, and reassign lessons between courses without proper ownership verification.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-4979 MEDIUM This Month

Blind Server-Side Request Forgery in UsersWP WordPress plugin versions up to 1.2.58 allows authenticated subscribers and above to force the WordPress server to make arbitrary HTTP requests via the uwp_crop parameter in avatar/banner image crop operations. The vulnerability stems from insufficient URL origin validation in the process_image_crop() method, which accepts user-controlled URLs and passes them to PHP image processing functions that support URL wrappers, enabling internal network reconnaissance and potential access to sensitive services. No public exploit code or active exploitation has been confirmed, though the vulnerability requires only authenticated access and low attack complexity.

PHP SSRF WordPress
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-5144 HIGH This Week

Privilege escalation in BuddyPress Groupblog (WordPress plugin) allows authenticated attackers with Subscriber-level access to grant Administrator privileges on any blog in a Multisite network, including the main site. Exploitation leverages missing authorization checks in group blog settings handlers, enabling attackers to inject arbitrary WordPress roles (including administrator) and associate groups with any blog ID. When users join the compromised group, they are silently added to the targeted blog with the injected role. Authenticated access required (PR:L). No public exploit identified at time of analysis.

WordPress Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-3498 MEDIUM This Month

Stored Cross-Site Scripting in BlockArt Blocks plugin for WordPress allows authenticated attackers with Author-level or higher permissions to inject arbitrary JavaScript into page content via the 'clientId' block attribute due to insufficient input sanitization and output escaping. An attacker can craft malicious block content that executes in the browsers of all users viewing the compromised page. The vulnerability affects all versions up to and including 2.2.15, with a fix available in version 2.3.0.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4895 MEDIUM This Month

Stored cross-site scripting in GreenShift - Animation and Page Builder Blocks plugin for WordPress up to version 12.8.9 allows authenticated contributors to inject arbitrary JavaScript into pages via improper HTML string manipulation in the gspb_greenShift_block_script_assets() function. The vulnerability exploits a naive str_replace() operation that fails to parse HTML context, enabling attackers to break out of attribute boundaries and inject malicious event handlers like onfocus with JavaScript payloads that execute when users access affected pages. No public exploit code has been identified; however, the low attack complexity and straightforward injection vector make this a practical risk for sites with untrusted contributors.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-5217 HIGH This Week

Unauthenticated stored XSS in Optimole WordPress plugin (≤4.2.2) allows attackers to inject malicious scripts via the srcset descriptor parameter in the /wp-json/optimole/v1/optimizations REST endpoint. Despite HMAC signature validation, authentication tokens are exposed in frontend HTML, enabling exploitation. Injected payloads persist in WordPress options table via transients and execute when victim browsers render affected pages. No public exploit identified at time of analysis.

XSS PHP WordPress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-5207 MEDIUM This Month

SQL injection in LifterLMS WordPress plugin versions up to 9.2.1 allows authenticated Instructor-level users with edit_post capability to extract sensitive database information via insufficiently escaped 'order' parameter in quiz reporting tables. The vulnerability requires authenticated access with specific WordPress role and post capabilities, limiting exposure to trusted users with elevated privileges; no public exploit code or active exploitation has been identified at time of analysis.

SQLi WordPress
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-5226 MEDIUM This Month

Reflected Cross-Site Scripting (XSS) in Optimole - Optimize Images in Real Time WordPress plugin versions up to 4.2.3 allows unauthenticated attackers to inject arbitrary JavaScript through malicious URL paths. The vulnerability stems from insufficient output escaping in the get_current_url() function, which are then inserted into JavaScript code via str_replace() without proper JavaScript context escaping in replace_content(). An attacker can craft a malicious link that, when clicked by a WordPress user, executes injected scripts in the context of the user's browser session with CVSS 6.1 (Medium) severity.

XSS WordPress
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-3358 MEDIUM This Month

Tutor LMS plugin for WordPress up to version 3.9.7 allows authenticated subscribers to enroll in private courses due to missing post_status validation in enrollment functions, exposing private course metadata in user dashboards despite WordPress core preventing actual content access. The vulnerability requires subscriber-level authentication but affects confidentiality and integrity, with confirmed patches available in version 3.9.8.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-4162 HIGH This Week

Missing authorization in Gravity SMTP plugin for WordPress (versions ≤2.1.4) allows authenticated attackers with subscriber-level privileges to uninstall the plugin, deactivate functionality, and delete configuration options. Exploitable via direct API calls or CSRF attack vectors. Affects Gravity SMTP by Rocketgenius. Successful exploitation enables low-privileged users to disable critical SMTP mail delivery functionality and remove plugin settings without proper permission checks. No public exploit identified at time of analysis.

WordPress CSRF Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-4432 MEDIUM POC PATCH This Month

Unauthenticated attackers can rename arbitrary wishlists on WordPress sites running YITH WooCommerce Wishlist before version 4.13.0 due to insufficient ownership validation in the save_title() AJAX handler. The vulnerability exploits a publicly exposed nonce in the wishlist page source, allowing attackers to modify wishlist names for any user without authentication. While the CVSS score of 6.5 reflects moderate integrity and confidentiality impact, the EPSS score of 0.02% (percentile 6%) and low real-world exploitation probability suggest this is a niche risk affecting only sites using this specific plugin, though publicly available exploit code exists.

Information Disclosure WordPress
NVD WPScan
CVSS 3.1
6.5
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM This Month

LatePoint WordPress plugin versions up to 5.3.2 expose a public, unauthenticated endpoint (OsStripeConnectController::create_payment_intent_for_transaction) that allows sequential enumeration of invoice IDs and unauthorized creation of transaction intent records containing sensitive financial data, customer identifiers, and Stripe payment secrets. Unauthenticated remote attackers can exploit this Insecure Direct Object Reference (IDOR) vulnerability to leak confidential payment information and Stripe Connect tokens without authentication or user interaction. No active exploitation has been confirmed at the time of analysis.

Authentication Bypass Oracle WordPress
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in Tutor LMS plugin for WordPress through version 3.9.8 allows authenticated Admin-level attackers to extract sensitive database information by injecting malicious SQL via the 'date' parameter, which is insufficiently escaped before being interpolated into a SQL fragment passed to $wpdb->prepare(). The vulnerability requires Admin authentication and does not permit data modification or denial of service. CVSS 6.5 reflects confidentiality impact; exploitation is limited to high-privilege authenticated users.

WordPress SQLi
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL injection in Form Maker by 10Web WordPress plugin (versions ≤1.15.40) allows authenticated administrators to extract sensitive database information via unsanitized parameters (ip_search, startdate, enddate, username_search, useremail_search) in the Submissions display function. The vulnerability stems from the validate_data() method stripping WordPress's magic quotes protection and get_labels_parameters() concatenating user input directly into SQL queries without prepared statements. A CSRF vector exists because the vulnerable display task lacks nonce verification, enabling attackers to trick administrators into triggering the injection via a crafted link. Exploitation requires Administrator-level privileges but can be chained with CSRF for unauthorized triggering.

WordPress SQLi CSRF
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

JetBackup plugin for WordPress versions up to 3.1.19.8 allows authenticated administrators to delete arbitrary directories via path traversal in the file upload handler. The vulnerability stems from insufficient input validation on the fileName parameter, which is sanitized using sanitize_text_field() but still permits path traversal sequences like '../'. When combined with the recursive directory deletion logic in the cleanup routine, attackers can traverse outside the intended upload directory and delete critical WordPress directories such as wp-content/plugins, completely disabling all plugins and severely disrupting the WordPress installation.

File Upload Path Traversal WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

wpForo Forum plugin for WordPress allows authenticated Subscriber-level attackers to modify arbitrary forum posts via variable extraction abuse and weak nonce validation. Attackers exploit the `extract($args, EXTR_OVERWRITE)` function in the `edit()` method to bypass permission checks, enabling unauthorized modification of post titles, bodies, names, and emails across all forum visibility levels including private forums and admin/moderator posts. A hardcoded nonce shared across all forum templates allows any user viewing any forum page to obtain a valid nonce, making exploitation trivial for authenticated users.

PHP Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

WP Statistics plugin for WordPress versions up to 14.16.4 fail to enforce capability checks on multiple AJAX endpoints, allowing authenticated Subscriber-level users to access sensitive analytics data, retrieve and modify privacy audit status, and dismiss administrative notices. The vulnerability stems from reliance on nonce verification alone without role-based access control, affecting all installations with the plugin active and at least one authenticated user account. No public exploit code or active exploitation has been confirmed at time of analysis.

Authentication Bypass WordPress
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Stored Cross-Site Scripting in WP Statistics plugin (≤14.16.4) allows unauthenticated attackers to inject malicious JavaScript into admin dashboard analytics pages. The vulnerability stems from unsafe handling of utm_source URL parameters that persist into database-backed charts, executing when administrators view Referrals Overview or Social Media pages. With CVSS 7.2 and network vector requiring no authentication, this represents elevated risk for WordPress sites using this analytics plugin, though no active exploitation confirmed at time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Time-based blind SQL injection in MasterStudy LMS WordPress plugin up to version 3.7.25 allows authenticated subscribers and above to extract sensitive database information including user credentials and session tokens via unquoted ORDER BY clause injection in the /lms/stm-lms/order/items REST API endpoint. The vulnerability stems from a custom Query builder that concatenates user-supplied sort parameters containing parentheses directly into SQL ORDER BY clauses without proper quoting, bypassing the plugin's use of esc_sql(). CVSS score of 6.5 reflects network-accessible exploitation requiring low privilege (subscriber-level) authentication and no user interaction.

WordPress SQLi
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Royal Addons for Elementor plugin versions up to 1.7.1056 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the Instagram Feed widget's 'instagram_follow_text' setting, executing malicious scripts whenever users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the widget configuration handler. CVSS 6.4 reflects the moderate severity (network-accessible, no user interaction required from victims, but limited scope to stored XSS with low confidentiality and integrity impact). No public exploit code or active exploitation has been confirmed at time of analysis.

XSS WordPress Elementor
NVD
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker thread, creating an unauthenticated denial of service vector. This issue has been fixed in version 3.7.7.

PHP Authentication Bypass WordPress +1
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

The Email Encoder - Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to "failed").

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 3.1
LOW Monitor

The OneSignal - Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete OneSignal metadata for arbitrary posts.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

The Better Find and Replace - AI-Powered Suggestions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded image title in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

The DirectoryPress - Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, and including, 3.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

WordPress SQLi
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can modify post share count metadata in Post Grid Gutenberg Blocks for News, Magazines, Blog Websites - PostX (PostX) plugin versions up to 5.0.5 due to a missing capability check in the ultp_shareCount_callback() function. This allows unauthorized modification of share_count post meta for any post including private and draft posts, affecting all WordPress installations running the vulnerable plugin. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery (CSRF) in Career Section WordPress plugin versions ≤1.6 enables unauthenticated attackers to delete arbitrary server files through social engineering. Attackers trick authenticated WordPress administrators into clicking malicious links that exploit missing nonce validation in the delete action handler, leading to path traversal and unrestricted file deletion. CVSS 8.8 (High) with network attack vector but requires user interaction (UI:R). EPSS and KEV data not provided; public exploit code status unknown. Wordfence advisory and upstream patch commit available.

Path Traversal WordPress CSRF
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored Cross-Site Scripting in Prismatic WordPress plugin (all versions ≤3.7.3) allows unauthenticated remote attackers to inject malicious scripts via crafted comment submissions containing the 'prismatic_encoded' pseudo-shortcode. Vulnerable code in prismatic_decode function fails to sanitize user-supplied attributes. CVSS 7.2 with scope change (S:C) elevates impact beyond vulnerable component. EPSS data not available; no CISA KEV listing identified. Wordfence threat intelligence confirms vulnerability; patch released in version 3.7.4 per WordPress plugin repository changelog.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in Customer Reviews for WooCommerce plugin allows unauthenticated attackers to inject arbitrary JavaScript via the unescaped 'crsearch' parameter, affecting all versions up to 5.101.0. Exploitation requires social engineering (victim must click a malicious link), but successful attacks can steal session cookies, perform actions as the logged-in user, or redirect to phishing sites. No public exploit code or active exploitation has been identified, though the vulnerability is trivially reproducible given the simple parameter manipulation required.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WP Maps plugin for WordPress allows authenticated contributors to inject malicious scripts via the 'put_wpgm' shortcode due to insufficient input sanitization and output escaping. Attackers with contributor-level access and above can craft malicious shortcode attributes that persist in page content and execute for all subsequent visitors. All versions up to 4.8.7 are affected; patched version 4.8.8 is available.

XSS WordPress Google
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in BetterDocs WordPress plugin versions up to 4.3.8 allows authenticated attackers with contributor-level access to inject arbitrary JavaScript into pages via the 'betterdocs_feedback_form' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users who view affected pages, enabling account compromise, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at this time.

XSS WordPress Elementor
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Stored cross-site scripting in OPEN-BRAIN WordPress plugin versions up to 0.5.0 allows authenticated administrators to inject malicious scripts via the API Key settings field, which are executed when any user accesses the plugin settings page. The vulnerability stems from improper use of sanitize_text_field() (which does not prevent attribute breakout) combined with missing esc_attr() escaping when outputting the API key to an HTML input value attribute. While exploitation requires administrator-level access, the stored nature means scripts persist and affect all subsequent user interactions with the settings page.

XSS WordPress
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Livemesh Addons for Elementor plugin versions up to 9.0 allow authenticated attackers with Subscriber-level access to inject arbitrary JavaScript via the plugin settings page through missing authorization checks on the AJAX handler lae_admin_ajax() and insufficient output escaping on checkbox fields. The injected scripts execute whenever an administrator accesses the settings page if the attacker obtains a valid nonce, which can be leaked due to improper access control on settings pages. This combination of authorization bypass and stored XSS affects all WordPress installations running the vulnerable plugin.

XSS WordPress Elementor
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Local file inclusion in Livemesh Addons for Elementor (WordPress plugin) ≤9.0 allows authenticated attackers with Contributor-level privileges to include and execute arbitrary PHP files via recursive directory traversal bypass in widget template parameters. The vulnerability requires Elementor plugin installation and either admin interaction (social engineering) or direct Contributor access. CVSS 8.8 reflects high impact (RCE potential) but limited by authentication requirement. No active exploitation confirmed (not in CISA KEV), but publicly available exploit code exists (Wordfence disclosure with technical details and code references).

PHP LFI WordPress +2
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can modify stored map latitude and longitude options in the Basic Google Maps Placemarks WordPress plugin through version 1.10.7 due to missing authorization checks on administrative functions. The vulnerability allows remote, unauthenticated modification of critical map configuration without requiring user interaction, affecting any WordPress site running the vulnerable plugin with default settings. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass WordPress Google
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in Accessibility Suite by Ability, Inc WordPress plugin (versions up to 4.20) allows authenticated attackers with Subscriber-level access to extract sensitive database information via an unescaped 'scan_id' parameter. The vulnerability is unauthenticated remote network-accessible but requires low-privilege login credentials; no public exploit code or active exploitation has been identified at the time of analysis.

WordPress SQLi
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in AcyMailing WordPress plugin (versions 9.11.0-10.8.1) allows authenticated Subscriber-level users to gain administrator access through a multi-stage attack chain. Attackers exploit a missing capability check in the wp_ajax_acymailing_router AJAX handler to access admin-only configuration controllers, enable autologin features, inject malicious cms_id values into newsletter subscribers, and authenticate as any WordPress user including administrators. EPSS data not available; no confirmed active exploitation (CISA KEV absent), but the low attack complexity (AC:L) and detailed public code references increase exploitation risk for installations with subscriber registration enabled.

Authentication Bypass WordPress Privilege Escalation
NVD
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in Riaxe Product Customizer for WordPress (all versions ≤2.1.2) allows unauthenticated remote attackers to extract sensitive database contents via crafted REST API requests. The vulnerability exists in the /wp-json/InkXEProductDesignerLite/add-item-to-cart endpoint where the 'options' parameter keys within 'product_data' lack proper SQL escaping. CVSS 7.5 (High) with attack vector network/low complexity/no authentication required. Wordfence discovery indicates active researcher attention. No CISA KEV listing or public exploit code identified at time of analysis, but EPSS data unavailable for risk calibration.

WordPress SQLi
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Signature validation bypass in Redsys payment gateway plugin (WooCommerce) allows remote attackers to mark unpaid orders as completed without actual payment. Unauthenticated attackers who obtain a valid order key and amount can forge payment callbacks across Redsys, Bizum, and Google Pay flows, enabling fraudulent order fulfillment. Affects versions ≤7.0.0 of 'Payment Gateway for Redsys & WooCommerce Lite' WordPress plugin. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation, though EPSS data unavailable. No CISA KEV listing or public POC identified at time of analysis. Vendor patch released in changeset 3501998.

Information Disclosure Jwt Attack WordPress +1
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting (XSS) in Custom New User Notification plugin for WordPress versions up to 1.2.0 allows authenticated administrators to inject arbitrary JavaScript into plugin settings pages via unescaped admin form fields (User Mail Subject, User From Name, User From Email, Admin Mail Subject, Admin From Name, Admin From Email). When any user accesses the plugin settings page, the injected scripts execute in their browser context, enabling privilege escalation in WordPress multisite environments where subsite administrators target super administrators. No public exploit code or active exploitation has been identified; the attack requires Administrator-level credentials, limiting real-world risk despite moderate CVSS score.

XSS WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Riaxe Product Customizer plugin for WordPress versions up to 2.1.2 allows unauthenticated attackers to delete arbitrary user accounts via a REST API endpoint lacking permission checks. The POST /wp-json/InkXEProductDesignerLite/customer/delete_customer route accepts a list of user IDs and directly deletes them without authentication or authorization validation, enabling attackers to remove administrator accounts and cause complete site lockout. This is confirmed by Wordfence and affects all installations running the vulnerable plugin version.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote attackers can escalate to administrator privileges on WordPress sites running Riaxe Product Customizer plugin ≤2.1.2. The plugin exposes an AJAX endpoint ('install-imprint') without authentication checks that allows arbitrary WordPress option manipulation, enabling attackers to create administrator accounts by modifying registration settings. CVSS 9.8 (Critical) reflects the complete site compromise potential. EPSS data not provided but exploitation requires only HTTP access to any vulnerable WordPress installation with this plugin active-no special conditions beyond plugin presence.

Authentication Bypass WordPress Privilege Escalation
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Vantage WordPress theme up to version 1.20.32 allows authenticated contributors and higher-privileged users to inject malicious scripts into gallery block text content that execute for all site visitors. The vulnerability stems from insufficient output escaping in the gallery template, enabling attackers with contributor-level access to compromise page integrity and potentially steal session tokens or deface content.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting (XSS) in WP Docs plugin for WordPress (all versions through 2.2.9) allows authenticated attackers with subscriber-level access to inject malicious scripts via the 'wpdocs_options[icon_size]' parameter due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user accessing the affected page, enabling session hijacking, credential theft, or malware distribution with no user interaction required beyond normal site browsing. No public exploit code has been identified, but the vulnerability is technically straightforward to exploit given valid subscriber credentials.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored Cross-Site Scripting (XSS) in CodeColorer plugin for WordPress versions up to 0.10.1 allows unauthenticated attackers to inject malicious JavaScript via the 'class' parameter in the 'cc' comment shortcode, which executes in the browsers of users viewing the affected page. Exploitation requires comments to be enabled and guest comments permitted on the target post. The vulnerability has a CVSS score of 6.1 with low complexity and no authentication required, but user interaction (visiting the affected page) is necessary for the payload to execute.

XSS WordPress
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting (XSS) in WP Shortcodes Plugin - Shortcodes Ultimate through version 7.4.9 allows authenticated contributors and above to inject arbitrary JavaScript into WordPress pages via the 'su_box' shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of all users who access the affected pages, potentially compromising site visitors' sessions and data. No public exploit code has been identified at the time of analysis, though the vulnerability is straightforward to reproduce and weaponize.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in WP YouTube Lyte plugin for WordPress versions up to 1.7.29 allows authenticated contributors and above to inject arbitrary JavaScript via the 'lyte' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users viewing affected pages. No public exploit code or active exploitation has been confirmed at time of analysis; patch is available in version 1.7.30 and later.

XSS WordPress
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation to WordPress administrator via insecure token-based authentication in Barcode Scanner (+Mobile App) plugin versions ≤1.11.0 allows remote unauthenticated attackers to gain full administrative control. The plugin leaks valid admin authentication tokens through the 'barcodeScannerConfigs' action and accepts Base64-encoded user IDs without validation, enabling attackers to spoof admin credentials, extract legitimate tokens, and modify any user's 'wp_capabilities' meta to grant themselves administrator privileges. CVSS 9.8 (Critical) with network vector, low complexity, and no authentication required. Vendor patch deployed in changeset 3506824.

Privilege Escalation WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content - ProfilePress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.16.12. This is due to the 'process_checkout' function not properly enforcing the plan active status check when a 'change_plan_sub_id' parameter is provided. This makes it possible for authenticated attackers, with Subscriber-level access and above, to subscribe to inactive membership plans by supplying an arbitrary 'change_plan_sub_id' value in the checkout request.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HashThemes Mini Ajax Cart for WooCommerce allows Stored XSS.This issue affects Mini Ajax Cart for WooCommerce: from n/a through 1.3.4.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Product Pricing Table by WooBeWoo plugin for WordPress allows unauthenticated attackers to inject arbitrary web scripts or delete pricing tables by tricking site administrators into clicking a malicious link, exploiting missing nonce validation in the updateLabel() and remove() functions across all versions up to and including 1.1.0. No public exploit code identified at time of analysis, but the vulnerability requires only user interaction (UI:R) and has a network attack vector, making it moderately exploitable in real-world scenarios.

WordPress CSRF
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored XSS in Accessibly WordPress plugin (≤3.0.3) allows unauthenticated attackers to inject malicious JavaScript executed by all site visitors via unprotected REST API endpoints. Two endpoints (/otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config) lack authentication checks (permission_callback set to __return_true), enabling attackers to modify the widgetSrc option with a URL pointing to attacker-controlled scripts. The malicious URL is stored unsanitized in WordPress options and

PHP WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Power Charts Lite WordPress plugin versions up to 0.1.0 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'id' parameter of the [pc] shortcode. The vulnerability exists because the plugin extracts user-supplied shortcode attributes, directly concatenates them into HTML class attributes without sanitization, and then decodes HTML entities, creating a persistent XSS payload that executes for all users viewing the affected page. No active exploitation has been confirmed, but the attack requires only standard WordPress contributor permissions and no additional complexity.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in WM JqMath WordPress plugin up to version 1.3 allows authenticated contributors and above to inject arbitrary JavaScript via the 'style' shortcode attribute, which executes in the browsers of all users viewing affected pages. The vulnerability stems from direct concatenation of unsanitized user input into HTML without proper escaping (missing esc_attr() calls). CVSS 6.4 reflects moderate risk with scope change; no public exploit code or active KEV status identified at time of analysis.

WordPress XSS
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Remote attackers can manipulate payment amounts in Stripe and PayPal transactions through the MetForm Pro WordPress plugin by submitting arbitrary values in the 'mf-calculation' field, bypassing price validation. Versions up to 3.9.7 are affected; the plugin fails to recompute or validate user-submitted calculation fields against configured form prices, allowing unauthenticated attackers to reduce or alter payment amounts on vulnerable forms. No active exploitation has been publicly confirmed, though the attack requires minimal complexity and produces direct financial impact.

Information Disclosure WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can retrieve sensitive PDF metadata and configuration values through a missing authorization flaw in the Katalogportal PDF Sync WordPress plugin (versions up to 1.0.0). The katalogportal_popup_shortcode() AJAX handler lacks capability checks and nonce verification, allowing any user to enumerate all synchronized PDF attachments-including those from private or draft posts-along with filenames and the katalogportal_userid configuration. This information disclosure has a CVSS score of 5.3 (low-to-medium severity) but enables reconnaissance for further attacks against WordPress installations.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-Site Request Forgery (CSRF) in OPEN-BRAIN plugin for WordPress versions up to 0.5.0 allows unauthenticated attackers to inject malicious web scripts by tricking site administrators into clicking a malicious link, due to missing nonce verification in the func_page_main() settings form handler. With a CVSS score of 6.1 and network-level attack surface requiring only user interaction, this vulnerability affects any WordPress installation using the affected plugin. No public exploit code or active exploitation has been confirmed at time of analysis.

WordPress CSRF
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in Visa Acceptance Solutions WordPress plugin (all versions through 2.1.0) allows unauthenticated remote attackers to gain complete account takeover by providing any user's email address during guest checkout. The vulnerability enables login as any existing user, including administrators, without password verification or email ownership validation. With a CVSS score of 9.8 (critical) and attack complexity of Low, this represents an immediate exploitation risk requiring no user interaction or privileges, though no public exploit or active exploitation (KEV) has been identified at time of analysis.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Authenticated users with Subscriber-level access or above can modify WordPress form field configurations in the e-shot form builder plugin (versions up to 1.0.2) due to missing authorization checks in the eshot_form_builder_update_field_data AJAX handler. The function lacks both capability checks and nonce verification, allowing attackers to manipulate form field properties such as mandatory status, visibility, and display preferences without proper permission validation. No public exploit code or active exploitation has been confirmed at this time.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Coachific Shortcode plugin for WordPress versions up to 1.0 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into pages via the 'userhash' shortcode attribute. The plugin sanitizes input with sanitize_text_field() but fails to apply JavaScript-specific escaping before interpolating the value into a script tag, enabling persistent XSS attacks visible to all page visitors. EPSS score of 6.4 reflects moderate real-world risk constrained by the requirement for authenticated contributor access and user interaction.

WordPress XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery in Petje.af WordPress plugin versions up to 2.1.8 allows unauthenticated attackers to force authenticated users into destructive actions-including revoking OAuth2 tokens, deleting user metadata, and permanently removing WordPress user accounts with the 'petjeaf_member' role-by crafting malicious requests that bypass nonce validation in the ajax_revoke_token() AJAX handler. The vulnerability requires user interaction (victim must click a link or visit a malicious site) but carries moderate integrity impact due to the ability to delete user accounts.

WordPress CSRF
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in WP Circliful plugin for WordPress up to version 1.2 allows authenticated attackers with Contributor-level access to inject arbitrary HTML and JavaScript via insufficiently sanitized shortcode attributes in [circliful] and [circliful_direct] shortcodes. The vulnerability exists in the circliful_shortcode() and circliful_direct_shortcode() functions, which concatenate user input directly into HTML attributes without escaping. When a user visits a page containing the injected shortcode, the malicious script executes in their browser. No public exploit code or active exploitation in the wild has been confirmed at time of analysis.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored Cross-Site Scripting in Quick Interest Slider plugin for WordPress (versions ≤3.1.5) allows unauthenticated remote attackers to inject malicious scripts via unsanitized 'loan-amount' and 'loan-period' parameters. Injected scripts execute in victim browsers when accessing compromised pages, enabling session hijacking, credential theft, or malicious redirects. CVSS 7.2 with network-accessible, low-complexity attack vector (AV:N/AC:L/PR:N) and scope change (S:C) indicates significant cross-tenant impact. No public exploit identified at time of analysis, though exploitation requires minimal technical sophistication due to unauthenticated attack surface.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in Login as User WordPress plugin (all versions ≤1.0.3) allows authenticated subscribers to become administrators by manipulating a client-side cookie. Attackers with Subscriber-level access can set the 'oclaup_original_admin' cookie to an admin user ID and trigger the 'Return to Admin' function, granting full admin privileges. CVSS 8.8 (High) with network vector, low complexity, and low privileges required. No public exploit identified at time of analysis, EPSS data not available. Wordfence reported vulnerability with direct source code references to vulnerable functions in class-login-handler.php.

Authentication Bypass Privilege Escalation WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in VI: Include Post By WordPress plugin up to version 0.4.200706 allows authenticated contributors and above to inject arbitrary JavaScript via the 'class_container' shortcode attribute, which executes in the browsers of any user viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode parameters. No public exploit code or active exploitation has been reported; however, the low attack complexity and broad scope of impact (affecting all site visitors) make this a moderate-priority issue for WordPress installations using this plugin.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery leading to stored cross-site scripting in Inquiry Form to Posts or Pages plugin version 1.0 for WordPress allows unauthenticated attackers to inject arbitrary scripts into administrator settings. The vulnerability stems from missing nonce validation on the settings update handler combined with insufficient input sanitization and output escaping, enabling an attacker to craft a malicious request that, when visited by a logged-in administrator, stores persistent XSS payloads. With a CVSS score of 4.3 and no evidence of public exploitation, this represents a moderate-severity threat requiring administrator interaction.

WordPress CSRF XSS
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

WordPress Google XSS
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

The 3D FlipBook - PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the send_post_pages_json() function in all versions up to, and including, 1.16.17. This makes it possible for unauthenticated attackers to retrieve flipbook page metadata for draft, private and password-protected flipbooks.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akd_required_plugin_callback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary directories on the server, including the WordPress root directory.

WordPress Path Traversal
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unrestricted file upload in WebStack WordPress theme allows unauthenticated remote code execution. The io_img_upload() function in all versions through 1.2024 lacks file type validation, enabling unauthenticated attackers to upload malicious files (e.g., PHP shells) directly to the server. No public exploit identified at time of analysis, but EPSS score and attack complexity (CVSS AC:L) indicate straightforward exploitation. Critical severity (CVSS 9.8) warranted due to complete system compromise potential with zero authentication barriers.

WordPress RCE File Upload
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Arbitrary WordPress action execution in Avada (Fusion) Builder plugin versions up to 3.15.1 allows authenticated attackers with Subscriber-level access to invoke unvalidated WordPress action hooks via the Dynamic Data feature, potentially enabling privilege escalation, file inclusion, denial of service, or remote code execution depending on available hooks in the WordPress installation. The vulnerability stems from the `output_action_hook()` function accepting user-controlled input without authorization checks. No public exploit code or active exploitation has been confirmed at time of analysis.

Denial Of Service RCE WordPress +2
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Avada (Fusion) Builder plugin for WordPress up to version 3.15.1 allows authenticated Subscriber-level users and above to access protected post metadata through the Dynamic Data feature's `post_custom_field` parameter due to insufficient validation of underscore-prefixed metadata keys. The `fusion_get_post_custom_field()` function fails to enforce metadata access controls, enabling disclosure of sensitive metadata that should be restricted. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass WordPress Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can bypass field-level authorization in Advanced Custom Fields (ACF) plugin versions up to 6.7.0 via AJAX endpoints that process user-supplied filter parameters without proper privilege checks, enabling disclosure of draft, private, and restricted post/page content that should be hidden by field configuration. The vulnerability affects any WordPress site with ACF installed and frontend forms exposed, requiring only network access and no user interaction. CVSS 5.3 reflects confidentiality impact with low attack complexity; no KEV status or public POC confirmed at analysis time.

Authentication Bypass WordPress Advanced Custom Fields
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored Cross-Site Scripting in Token of Trust WordPress plugin versions ≤3.32.3 allows unauthenticated remote attackers to inject malicious scripts via the unsanitized 'description' parameter, achieving persistent code execution in victim browsers with changed security context (CVSS scope changed). CVSS 7.2 with network attack vector and no authentication required. No public exploit identified at time of analysis, but EPSS data not provided to assess exploitation probability.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can bypass authorization checks in the Nexi XPay plugin for WordPress (versions up to 8.3.0) to mark pending WooCommerce orders as paid or completed by exploiting a missing authorization check on the redirect function. This allows payment fraud by converting unpaid orders into completed transactions without authentication. No public exploit code or active exploitation has been reported at time of analysis.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Eventin - Events Calendar, Event Booking, Ticket & Registration plugin for WordPress fails to properly validate user capabilities in the get_item_permissions_check() function, allowing authenticated Subscriber-level users to enumerate and read arbitrary order data including customer names, emails, and phone numbers through order ID iteration. Affected versions include all releases up to and including 4.1.8. This is a low-complexity, network-accessible vulnerability (CVSS 4.3) that requires only basic authentication, making it exploitable by any user with a WordPress account on an affected site.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated attackers can execute arbitrary WordPress shortcodes in the Germanized for WooCommerce plugin (all versions up to 3.20.5) via the 'account_holder' parameter, which bypasses shortcode validation in the do_shortcode() function. This enables remote code execution with medium severity (CVSS 6.5) affecting any WordPress site with the vulnerable plugin installed. No public exploit code or active exploitation has been confirmed at the time of analysis.

Code Injection RCE WordPress
NVD
EPSS 0% CVSS 7.2
HIGH This Week

PHP object injection in Smart Post Show WordPress plugin versions ≤3.0.12 allows administrators to deserialize untrusted input via the import_shortcodes() function. While no POP chain exists in the plugin itself (making direct exploitation impossible), the vulnerability becomes critical if paired with another plugin/theme containing exploitable gadget chains, potentially enabling file deletion, data exfiltration, or remote code execution. CVSS 7.2 (High) reflects theoretical maximum impact. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE identifier.

PHP WordPress Information Disclosure +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in ShopLentor WordPress plugin (versions up to 3.3.5) via the woolentor_quickview_button shortcode's button_text attribute allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript that executes for all site visitors. The vulnerability stems from insufficient input sanitization and missing output escaping on user-supplied shortcode attributes. With a CVSS score of 6.4 and confirmed patch availability in version 3.3.6, this poses a moderate risk to WordPress installations using the plugin, particularly those with multiple contributor-level users.

XSS WordPress
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in WholeSale Products Dynamic Pricing Management WooCommerce plugin allows authenticated administrators to inject arbitrary web scripts via admin settings that execute for all users on affected pages. The vulnerability affects all versions up to and including 1.2 on multi-site WordPress installations or single-site installations with unfiltered_html disabled. While the CVSS score of 4.4 is moderate, exploitation requires high-privilege administrator credentials and the attack is limited by high attack complexity; however, the persistent nature of stored XSS means injected payloads affect all subsequent site visitors.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Surbma | Booking.com Shortcode WordPress plugin (all versions up to 2.1) allows authenticated contributors and above to inject malicious scripts into pages via insufficient input sanitization on the `surbma-bookingcom` shortcode attributes, causing arbitrary JavaScript execution for all site visitors accessing the compromised page. The vulnerability has a CVSS score of 6.4 with network-based attack vector and low complexity, requiring only contributor-level privileges to exploit. No public exploit code or active exploitation has been independently confirmed at the time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored Cross-Site Scripting in Form Maker by 10Web WordPress plugin (versions ≤1.15.40) allows unauthenticated attackers to inject malicious JavaScript through Matrix field submissions that executes when administrators view submission details. The vulnerability stems from inadequate sanitization (sanitize_text_field removes tags but preserves quotes) and missing output escaping in the admin Submissions view. With CVSS 7.2 (High) and network-based attack vector requiring no privileges or user int

XSS WordPress
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Local file inclusion in BackWPup WordPress plugin versions ≤5.6.6 allows authenticated administrators to read sensitive configuration files or achieve remote code execution via path traversal bypass in the `/wp-json/backwpup/v1/getblock` REST endpoint. The vulnerability stems from insufficient sanitization using non-recursive `str_replace()`, enabling crafted sequences like `....//` to bypass filtering. While requiring high privileges (PR:H), the plugin's permission delegation feature allows administrators to grant backup management rights to lower-privileged users, expanding the attack surface. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though CVSS 7.2 reflects high confidentiality, integrity, and availability impact.

PHP Path Traversal WordPress +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in JetEngine WordPress plugin (≤3.8.6.1) via Custom Content Type REST API allows unauthenticated remote attackers to extract sensitive database information. The vulnerability stems from unsanitized search parameters in REST endpoints, bypassing WordPress's built-in SQL protections. Attack complexity is low (CVSS AC:L) with no user interaction required. EPSS and KEV data not provided; exploitation requires Custom Content Types module enabled with public REST endpoints configured.

WordPress SQLi
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Unauthenticated data deletion in LearnPress WordPress LMS plugin (versions ≤4.3.2.8) allows remote attackers to delete arbitrary quiz answer options without authentication. The plugin exposes wp_rest nonces to unauthenticated visitors in public frontend HTML and uses this nonce as the sole security gate for its AJAX dispatcher, while the delete_question_answer() function lacks both capability and ownership verification. With CVSS 9.1 (Critical) scoring and network-exploitable attack vector requi

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4. This is due to insufficient validation of user-supplied URLs passed via the 'redirect_to_on_logout' GET parameter before redirecting users. The `redirect_to_on_logout` GET parameter is passed directly to WordPress's `wp_redirect()` function instead of the domain-restricted `wp_safe_redirect()`. While `esc_url_raw()` is applied to sanitize malformed URLs, it does not restrict the redirect destination to the local domain, allowing an attacker to craft a specially formed link that redirects users to potentially malicious external URLs after logout, which could be used to facilitate phishing attacks.

Open Redirect WordPress
NVD
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

SQL injection in Product Filter for WooCommerce by WBW plugin versions below 3.1.3 allows unauthenticated remote attackers to extract sensitive database contents including user credentials, customer data, and order information. The vulnerability requires no authentication (CVSS PR:N) and has low attack complexity with publicly available exploit code. EPSS data not available, but the combination of unauthenticated access, public POC, and WordPress's large attack surface creates substantial real-world risk for unpatched WooCommerce installations.

SQLi WordPress
NVD WPScan VulDB
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

SQL injection in Form Maker by 10Web WordPress plugin before version 1.15.38 allows unauthenticated remote attackers to read sensitive data via improper SQL query preparation when the MySQL Mapping feature is enabled. The attack requires high complexity to exploit but has high confidentiality impact, affecting all WordPress sites running the vulnerable plugin with this feature active. Public exploit code is available, though EPSS scoring (0.02%) suggests real-world exploitation remains limited despite the presence of proof-of-concept.

SQLi WordPress
NVD WPScan VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Arbitrary file deletion in wpForo Forum plugin for WordPress (≤3.0.2) allows authenticated attackers with subscriber-level access to delete critical server files including wp-config.php. A two-step logic flaw permits injection of attacker-controlled file paths via poisoned postmeta arrays (data[body][fileurl]), which are later passed unvalidated to wp_delete_file(). The vulnerability requires low-privilege authentication (PR:L) and enables denial-of-service against WordPress installations through deletion of configuration or core files. No public exploit identified at time of analysis.

WordPress PHP Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in Tutor LMS WordPress plugin versions up to 3.9.7 allows authenticated Subscriber-level users to manipulate course content structure across any course by exploiting missing authorization checks in the save_course_content_order() method, enabling attackers to detach lessons from topics, reorder course content, and reassign lessons between courses without proper ownership verification.

WordPress Authentication Bypass
NVD VulDB
EPSS 0% CVSS 5.0
MEDIUM This Month

Blind Server-Side Request Forgery in UsersWP WordPress plugin versions up to 1.2.58 allows authenticated subscribers and above to force the WordPress server to make arbitrary HTTP requests via the uwp_crop parameter in avatar/banner image crop operations. The vulnerability stems from insufficient URL origin validation in the process_image_crop() method, which accepts user-controlled URLs and passes them to PHP image processing functions that support URL wrappers, enabling internal network reconnaissance and potential access to sensitive services. No public exploit code or active exploitation has been confirmed, though the vulnerability requires only authenticated access and low attack complexity.

PHP SSRF WordPress
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in BuddyPress Groupblog (WordPress plugin) allows authenticated attackers with Subscriber-level access to grant Administrator privileges on any blog in a Multisite network, including the main site. Exploitation leverages missing authorization checks in group blog settings handlers, enabling attackers to inject arbitrary WordPress roles (including administrator) and associate groups with any blog ID. When users join the compromised group, they are silently added to the targeted blog with the injected role. Authenticated access required (PR:L). No public exploit identified at time of analysis.

WordPress Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in BlockArt Blocks plugin for WordPress allows authenticated attackers with Author-level or higher permissions to inject arbitrary JavaScript into page content via the 'clientId' block attribute due to insufficient input sanitization and output escaping. An attacker can craft malicious block content that executes in the browsers of all users viewing the compromised page. The vulnerability affects all versions up to and including 2.2.15, with a fix available in version 2.3.0.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in GreenShift - Animation and Page Builder Blocks plugin for WordPress up to version 12.8.9 allows authenticated contributors to inject arbitrary JavaScript into pages via improper HTML string manipulation in the gspb_greenShift_block_script_assets() function. The vulnerability exploits a naive str_replace() operation that fails to parse HTML context, enabling attackers to break out of attribute boundaries and inject malicious event handlers like onfocus with JavaScript payloads that execute when users access affected pages. No public exploit code has been identified; however, the low attack complexity and straightforward injection vector make this a practical risk for sites with untrusted contributors.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Unauthenticated stored XSS in Optimole WordPress plugin (≤4.2.2) allows attackers to inject malicious scripts via the srcset descriptor parameter in the /wp-json/optimole/v1/optimizations REST endpoint. Despite HMAC signature validation, authentication tokens are exposed in frontend HTML, enabling exploitation. Injected payloads persist in WordPress options table via transients and execute when victim browsers render affected pages. No public exploit identified at time of analysis.

XSS PHP WordPress
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in LifterLMS WordPress plugin versions up to 9.2.1 allows authenticated Instructor-level users with edit_post capability to extract sensitive database information via insufficiently escaped 'order' parameter in quiz reporting tables. The vulnerability requires authenticated access with specific WordPress role and post capabilities, limiting exposure to trusted users with elevated privileges; no public exploit code or active exploitation has been identified at time of analysis.

SQLi WordPress
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting (XSS) in Optimole - Optimize Images in Real Time WordPress plugin versions up to 4.2.3 allows unauthenticated attackers to inject arbitrary JavaScript through malicious URL paths. The vulnerability stems from insufficient output escaping in the get_current_url() function, which are then inserted into JavaScript code via str_replace() without proper JavaScript context escaping in replace_content(). An attacker can craft a malicious link that, when clicked by a WordPress user, executes injected scripts in the context of the user's browser session with CVSS 6.1 (Medium) severity.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Tutor LMS plugin for WordPress up to version 3.9.7 allows authenticated subscribers to enroll in private courses due to missing post_status validation in enrollment functions, exposing private course metadata in user dashboards despite WordPress core preventing actual content access. The vulnerability requires subscriber-level authentication but affects confidentiality and integrity, with confirmed patches available in version 3.9.8.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Missing authorization in Gravity SMTP plugin for WordPress (versions ≤2.1.4) allows authenticated attackers with subscriber-level privileges to uninstall the plugin, deactivate functionality, and delete configuration options. Exploitable via direct API calls or CSRF attack vectors. Affects Gravity SMTP by Rocketgenius. Successful exploitation enables low-privileged users to disable critical SMTP mail delivery functionality and remove plugin settings without proper permission checks. No public exploit identified at time of analysis.

WordPress CSRF Authentication Bypass
NVD
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Unauthenticated attackers can rename arbitrary wishlists on WordPress sites running YITH WooCommerce Wishlist before version 4.13.0 due to insufficient ownership validation in the save_title() AJAX handler. The vulnerability exploits a publicly exposed nonce in the wishlist page source, allowing attackers to modify wishlist names for any user without authentication. While the CVSS score of 6.5 reflects moderate integrity and confidentiality impact, the EPSS score of 0.02% (percentile 6%) and low real-world exploitation probability suggest this is a niche risk affecting only sites using this specific plugin, though publicly available exploit code exists.

Information Disclosure WordPress
NVD WPScan
Prev Page 17 of 194 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy