Skip to main content

WordPress

17323 CVEs vendor

Monthly

CVE-2026-13250 MEDIUM This Month

Permanent, irreversible deletion of all Starter Template-imported site content in the Solace Extra WordPress plugin (all versions through 1.5.3) is achievable by fully unauthenticated network attackers due to the complete absence of authorization checks on the responsible AJAX handler. The handler is registered via wp_ajax_nopriv_, removing WordPress's authentication gate entirely, while the required nonce is leaked to any Subscriber-level user visiting any wp-admin page - eliminating both authentication and authorization barriers simultaneously. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the Wordfence disclosure includes exact file and line references enabling straightforward reproduction; the official CVSS score of 5.3 significantly understates the destructive impact.

Authentication Bypass WordPress PHP Solace Extra
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-7559 MEDIUM This Month

Unauthorized affiliate management actions in the Affilia plugin for WordPress (all versions through 3.3.3) allow any subscriber-level authenticated user to approve or reject referrals, credit commissions to affiliate wallets, delete referral records, and modify banner options - enabling direct financial fraud against WooCommerce stores. The root cause is that the sole authentication gate relies on a WordPress nonce that is publicly embedded in every frontend page load via the JavaScript global `rtwalwm_global_params.rtwalwm_nonce`, making role-based access enforcement trivially bypassable. No public exploit code or CISA KEV listing is identified at time of analysis, but the low exploitation complexity and direct financial fraud impact make this a meaningful operational risk for any site running an affiliate program on this plugin.

Authentication Bypass WordPress Affiliate Program Referral Tracking For Woocommerce Wordpress Affilia
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15096 MEDIUM This Month

Stored Cross-Site Scripting in the Themify Builder WordPress plugin (all versions through 7.7.6) enables authenticated attackers holding contributor-level access or higher to persist arbitrary JavaScript via the Map Module's `b_width_map` field. Because the scope changes (S:C in CVSS), the injected payload executes inside every subsequent visitor's browser context - enabling session hijacking, credential theft, or administrative account takeover against any user who views an affected page. No public exploit code has been identified and this vulnerability is not listed in CISA KEV, but the low exploitation complexity and network-accessible attack surface make it a meaningful risk on sites with open or broad contributor registration.

WordPress XSS Themify Builder
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2025-13968 MEDIUM This Month

Stored Cross-Site Scripting in the Starboard Suite Reservation Calendars WordPress plugin (all versions through 3.1.4) allows authenticated attackers with Contributor-level access to inject persistent malicious JavaScript via unescaped shortcode attributes in the [starboard-suite-lightbox] shortcode. Any site visitor who loads a page containing the injected shortcode will execute the attacker's script in their browser, enabling session hijacking, credential theft, or malicious redirects against potentially higher-privileged users such as site administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor) and scope change to victim browsers make this a meaningful risk on multi-author WordPress sites.

WordPress XSS Starboard Suite Reservation Calendars
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-13116 MEDIUM This Month

Insecure Direct Object Reference in the PDF Invoices & Packing Slips for WooCommerce plugin (versions through 5.14.0) allows authenticated contributors to mint permanent, session-free download links for arbitrary third-party orders, exposing customer PII including names, billing and shipping addresses, email addresses, phone numbers, line items, payment details, and customer notes. Exploitation is gated on a non-default plugin setting - the 'Document link access type' must be configured to 'full' rather than the default 'logged_in'; the default configuration signs URLs with a per-session nonce, neutralising the attack path. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass WordPress Pdf Invoices Packing Slips For Woocommerce
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-3576 HIGH This Week

Arbitrary local file disclosure in the Planyo Online Reservation System WordPress plugin (all versions through 3.0) lets unauthenticated remote attackers read any server-side file. The ulap.php AJAX proxy is reachable without WordPress bootstrapping or authentication and validates only the URL host against an allowlist, not the scheme, so a file://localhost/ URL passes the check and is fetched via curl/fopen. Reported by Wordfence with no public exploit identified at time of analysis; sensitive targets include wp-config.php database credentials and /etc/passwd.

WordPress SSRF PHP Planyo Online Reservation System
NVD VulDB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-9738 MEDIUM This Month

Stored Cross-Site Scripting in the Print, PDF, Email by PrintFriendly WordPress plugin (versions through 5.5.10) allows authenticated administrators to inject persistent JavaScript via the 'content_position_css' parameter, which executes in the browsers of any user who visits an affected page. The scope change (S:C) in the CVSS vector confirms the injected script breaks out of the plugin's security context into victim browsers, enabling session hijacking, credential theft, or malicious redirects against site visitors. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

WordPress XSS Print Pdf Email By Printfriendly
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-3552 MEDIUM PATCH This Month

Unauthorized data modification in SurfLink - Link Manager & Backup Restore (all versions up to 2.6.0) allows authenticated attackers with Subscriber-level access to inject arbitrary URLs into the plugin's 410 Gone database table, causing those site paths to return HTTP 410 Gone responses to all visitors. The root cause is a missing capability check (current_user_can()) and absent nonce verification (check_ajax_referer()) in the ajax_import_410() AJAX handler - a conspicuous gap given that every other AJAX handler in the same PHP class correctly implements both controls. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the low authentication barrier and clear impact on site availability and SEO ranking make this a meaningful risk for affected WordPress deployments.

Authentication Bypass WordPress Denial Of Service Surflink Link Manager Backup Restore
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-6803 MEDIUM This Month

Unauthenticated mass data deletion in the AI Copilot - Content Generator WordPress plugin (all versions through 1.4.12) exposes sites to complete wipeout of plugin-managed database records by any remote visitor. The vulnerability stems from a permanently open authorization gate: the base controller's getPermissions() returns an empty array causing the auth check to unconditionally pass, while the removeGroup and clear AJAX actions are excluded from getNoncedMethods(), bypassing nonce verification entirely. No active exploitation has been confirmed in CISA KEV and no public exploit code has been identified at time of analysis, though the attack requires no credentials and minimal technical skill given the straightforward AJAX endpoint targeting.

Authentication Bypass WordPress Ai Copilot Content Generator
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-2354 HIGH This Week

Arbitrary file upload in the Swiss Toolkit For WP WordPress plugin (versions ≤ 1.4.6) lets authenticated Author-level (and higher) users bypass file-type validation and upload executable PHP, potentially achieving remote code execution on the host. The flaw stems from the upload_extension_files() function using a substring match instead of a real extension check when the optional 'Enhanced Multi-Format Image Support' feature is enabled. Reported by Wordfence with a CVSS of 8.8; no public exploit identified at time of analysis.

WordPress RCE File Upload Swiss Toolkit For Wp
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-15097 MEDIUM This Month

Stored XSS in the Themify Builder WordPress plugin (all versions through 7.7.6) allows contributor-level authenticated users to inject persistent JavaScript via the 'height_slider' Slider Module field, which executes in the browser of any visitor who loads an injected page. The scope change (S:C in CVSS) captures the cross-context impact: attacker payload runs in victims' sessions, enabling session hijacking, credential theft, or unauthorized admin actions. No active exploitation is confirmed in CISA KEV, but a patch commit (changeset 3601964) is visible in the WordPress plugin SVN repository, suggesting a fix has been committed beyond version 7.7.6.

WordPress XSS Themify Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-7620 MEDIUM This Month

Authorization bypass in the Notification for Telegram WordPress plugin (all versions through 3.5.1) allows authenticated subscribers to manipulate WordPress cron scheduling logic. Authenticated attackers with subscriber-level access or above can create, modify, or reschedule the nftb_cron_hook cron event due to missing authorization checks in nftncron.php, disrupting the plugin's background task scheduling for Telegram notifications. No public exploit or active exploitation has been identified at time of analysis; CVSS rates this Medium (4.3) with integrity-only impact.

Authentication Bypass WordPress Notification For Telegram
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13114 HIGH This Week

Stored cross-site scripting in the StyleMix Motors - Car Dealership & Classified Listings plugin for WordPress (all versions through 1.4.112) lets unauthenticated attackers persist malicious JavaScript through the Comment Content and User Biographical Info fields, which then executes in the browser of any visitor or administrator who views the affected page. The scope-changed CVSS 3.1 score of 7.2 reflects that injected script runs in a security context different from the vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated injection path makes it broadly abusable against sites running this popular automotive/classifieds plugin.

WordPress XSS Motors Car Dealership Classified Listings Plugin
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-13353 HIGH This Week

Authenticated remote code execution in the Smackcoders WP Ultimate CSV Importer WordPress plugin (versions up to and including 8.0.1) lets a low-privileged Subscriber run arbitrary PHP on the server. Missing capability checks on the install_addon, saveMappedFields, and StartImport AJAX handlers, plus a plugin nonce leaked to any authenticated admin-page viewer, let an attacker install the WooCommerce add-on, persist PHP expressions in the MappedFields parameter, and force their evaluation through eval() in ImportHelpers::get_meta_values(). No public exploit is identified at time of analysis, and the flaw is not in CISA KEV; with an EPSS signal not provided, the CVSS 8.8 and trivial subscriber prerequisite make it a high patch priority.

Code Injection WordPress PHP RCE Wp Ultimate Csv Importer Wordpress Import Export For Csv Xml Excel
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-7544 MEDIUM This Month

Sensitive Information Exposure in the Mux Video Uploader WordPress plugin (all versions through 1.1.4) allows any authenticated WordPress user at subscriber level or higher to retrieve Mux API credentials via the `muxvideo_enqueue_settings_script` function. Mux API keys exposed this way could enable unauthorized access to the site's Mux account, including video management and potential billing abuse. Reported by Wordfence; no public exploit code or CISA KEV listing identified at time of analysis.

WordPress Information Disclosure Mux Video Uploader
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-15072 MEDIUM This Month

SQL injection in KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress (all versions through 4.5.0) allows authenticated attackers with doctor-level or equivalent access to exfiltrate arbitrary database contents via a manipulated 'orderby' parameter. The flaw exists in DoctorSessionController.php and the KCQueryBuilder base class, where ORDER BY clause inputs are neither escaped nor parameterized, enabling appended SQL to traverse the entire WordPress database - including patient records, credentials, and clinical data. No public exploit code or active exploitation has been identified at time of analysis, though Wordfence has disclosed the vulnerability with source code references.

WordPress SQLi Kivicare Clinic Patient Management System Ehr
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-15338 HIGH This Week

Local File Inclusion in the LA-Studio Element Kit for Elementor WordPress plugin (all versions through 1.6.1) lets authenticated contributors and above coerce the get_type_template function into including arbitrary server-side .php files, enabling access-control bypass, sensitive data disclosure, and full PHP code execution where an attacker can plant a .php file. Reported by Wordfence with a CVSS 3.1 base score of 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. The flaw stems from wp_normalize_path being relied upon for path safety even though it only canonicalizes separators and never rejects traversal sequences.

WordPress LFI Path Traversal RCE PHP +2
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-12426 MEDIUM This Month

Sensitive information exposure in the Members - Membership & User Role Editor Plugin for WordPress (all versions through 3.2.22) allows unauthenticated network attackers to exploit the REST API filter `members_filter_protected_posts_for_rest` as a boolean oracle, revealing the existence, count, and inferred keyword content of posts explicitly restricted by membership rules. The mechanism abuses per-page pagination parameters to observe response count changes, enabling iterative inference of hidden post content without ever receiving the post body directly. No public exploit code has been identified at time of analysis, and this is not listed in CISA KEV, but the zero-authentication, network-accessible attack surface means any WordPress site using this plugin with sensitive restricted content is exposed by default.

WordPress Oracle Information Disclosure Members Membership User Role Editor Plugin
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-3367 MEDIUM This Month

Stored Cross-Site Scripting in the Lockme OAuth2 Calendars Integration WordPress plugin (all versions through 2.11.0) permits authenticated administrators to persist arbitrary JavaScript in four settings fields - App ID, App Secret, Bookings ID prefix, and API domain - which then executes in the browser of any user who loads the plugin settings page. The root cause is a missing sanitize callback in register_setting() (Plugin.php:197) paired with unescaped output via direct echo into an HTML value attribute without esc_attr() (lines 212, 223, 245, 256), a classic CWE-79 dual-failure pattern. Exploitation risk is highest in WordPress multisite environments where per-site administrators, who should not have cross-site authority, could poison settings to harvest session tokens or perform actions in the context of super-administrators. No public exploit code and no CISA KEV listing have been identified at time of analysis; an upstream patch changeset (revision 3495564) has been committed to the WordPress plugin repository.

WordPress XSS Lockme Calendars Integration
NVD
CVSS 3.1
4.4
EPSS
0.3%
CVE-2026-10628 MEDIUM This Month

Authorization bypass in Points and Rewards for WooCommerce (all versions through 2.10.0) allows authenticated subscribers to drain any user's reward points into a wallet balance, exfiltrate all user emails and point balances to an attacker-controlled Klaviyo account, and overwrite the site's Klaviyo API key - compounding financial fraud with third-party data exfiltration. Critically, the plugin exposes its authentication nonce (wps-wpr-verify-nonce) on every public-facing page via wp_localize_script(), and the wallet-draining handler is registered on the wp_ajax_nopriv_ hook, meaning the most financially damaging action - converting points to wallet balance - is exploitable by unauthenticated visitors. No public exploit code or CISA KEV listing identified at time of analysis.

Authentication Bypass WordPress Points And Rewards For Woocommerce
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-13262 MEDIUM This Month

SQL injection in the Majestic Support WordPress help desk plugin (versions up to and including 1.1.9) allows any authenticated WordPress user to extract sensitive data from the site's database by appending arbitrary SQL to queries via the unsanitized 'val' AJAX parameter. Although the description characterizes attackers as 'unauthenticated,' exploitation in practice requires a Subscriber-level account to obtain a 'get-smart-reply' nonce - a low but real barrier accurately reflected in the CVSS PR:L rating. No public exploit code or CISA KEV listing has been identified at time of analysis, but the trivial nonce-acquisition path (create a ticket, visit the result page) means any user permitted to submit support requests can exploit this on unpatched deployments. Version 1.2.0 appears to resolve the issue based on source code changes in the referenced repository tags.

WordPress SQLi Majestic Support The Leading Edge Help Desk Customer Support Plugin
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-15073 MEDIUM This Month

SQL injection in the KiviCare - Clinic & Patient Management System (EHR) WordPress plugin through version 4.5.0 enables authenticated clinic users to extract arbitrary data from the underlying database via a manipulated 'orderby' REST API parameter. The flaw resides in DoctorSessionController.php (lines 648 and 660) where user-supplied sort values are concatenated into queries without escaping or prepared-statement protections, cascading through KCQueryBuilder.php. No public exploit code or CISA KEV listing is identified at time of analysis; EPSS data was not provided, but the authenticated-only prerequisite and niche deployment footprint materially limit real-world impact.

WordPress SQLi Kivicare Clinic Patient Management System Ehr
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-5743 MEDIUM This Month

Stored XSS in the SimpLy Gallery Block & Lightbox WordPress plugin (all versions through 3.3.3.2) allows authenticated attackers with Author-level access to inject persistent JavaScript via the sliderMaxHeight block attribute. The root cause is a defective regex in pgc_sgb_sanitize_custom_css() that strips quoted event handlers but silently permits unquoted HTML event handler syntax (e.g., onfocus=alert(document.cookie)), enabling a sanitization bypass that survives to page render. No public exploit or CISA KEV listing is identified at time of analysis, though the stored nature means injected payloads persist and execute against any subsequent visitor - including administrators.

WordPress XSS Simply Gallery
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-8678 MEDIUM This Month

Authorization bypass in the MyParcel (woocommerce-myparcel) WordPress plugin allows any authenticated subscriber-level user to view and modify shipment options - including carrier, delivery type, package type, label count, weight, signature requirement, and insurance - on arbitrary WooCommerce orders they do not own. All plugin versions up to and including 4.25.1 are affected, with the flaw rooted in missing capability checks on administrative AJAX handlers. No public exploit or active exploitation has been identified at time of analysis, though the low privilege bar (any registered WordPress user) expands the realistic attacker pool significantly for e-commerce stores.

Authentication Bypass WordPress Myparcel
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13756 HIGH This Week

Privilege escalation in the WP Grid Builder WordPress plugin (versions ≤ 2.3.3) lets an authenticated Subscriber-or-above user promote their own account to Administrator by sending a crafted nested-array payload to the `/wp-json/wpgb/v2/metadata` REST endpoint. The endpoint's `update()` handler lacks both an authorization check and meta-key validation, so an attacker can overwrite their own `wp_capabilities` user meta. No public exploit has been identified at time of analysis, and the flaw is not on CISA KEV; with CVSS 8.8 and low attack complexity, it is a high-priority patch for any site running this plugin.

Privilege Escalation WordPress
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-11426 MEDIUM This Month

Arbitrary file read in the UnderConstructionPage PRO WordPress plugin (≤ 5.76) exposes sensitive server files to any authenticated subscriber-level user. The plugin's template_thumbnail parameter accepts unsanitized local file paths and copies their contents into the publicly accessible uploads directory, making the exfiltrated data retrievable by unauthenticated third parties after the fact. No public exploit code or CISA KEV listing exists at time of analysis; however, the low privilege bar (subscriber accounts) and high confidentiality impact (CVSS C:H) make this a meaningful risk on multi-user WordPress installations.

WordPress Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-12761 CRITICAL Act Now

Authentication bypass in the miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) WordPress plugin through version 7.7.0 lets unauthenticated attackers seize any account, including administrators. The Profile Completion flow trusts an attacker-supplied 'email_field' POST value without confirming it matches the OAuth provider's verified identity, and the send_otp_token() routine leaks a SHA-512(customer_key||otp) hash to the client where the OTP is one of only 99,000 values and customer_key is a static (often empty) option - so the OTP can be brute-forced offline in under a second. Rated CVSS 9.8; no public exploit identified at time of analysis, but the full attack primitive is described in the Wordfence advisory.

Authentication Bypass WordPress Google Miniorange Social Login And Register Discord Google Twitter Linkedin
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-13039 MEDIUM This Month

Authorization bypass in the Eventin WordPress plugin (versions 4.0.26-4.1.15) enables unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash to the payment_complete() REST endpoint. The wp_rest nonce required to reach this endpoint is embedded in the HTML of every public event page, eliminating any credential or session requirement. This is a confirmed regression - the same function and endpoint were previously patched by Arraytics, but the fix was lost in subsequent releases; no public exploit has been identified at time of analysis.

Authentication Bypass WordPress PHP Eventin Event Calendar Event Registration Tickets Booking Ai Powered
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-15295 MEDIUM This Month

Stored Cross-Site Scripting in the Ajax Load More WordPress plugin (versions through 7.0.1) allows authenticated administrators to inject persistent malicious scripts into pages served to other users. The vulnerability stems from insufficient input sanitization and output escaping in admin-facing settings fields. Exploitation is constrained to WordPress multisite environments or sites with unfiltered_html disabled, and no public exploit or KEV listing exists at time of analysis, keeping real-world risk moderate despite the network-accessible vector.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-1667 HIGH This Week

Missing authorization in the Squirrly SEO plugin for WordPress (all versions through 14.0.0) lets unauthenticated attackers create arbitrary posts by abusing a leaked API token, and — when the Advanced Custom Fields (ACF) plugin is also active — plant stored cross-site scripting that fires whenever any user views the injected page. Wordfence rates it CVSS 7.2 with scope change because a single unauthenticated request can seed persistent content and script that later executes in visitors' and administrators' browsers. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the unauthenticated, low-complexity nature makes it an attractive target for automated WordPress campaigns.

Authentication Bypass WordPress XSS Geo Plugin By Squirrly Seo
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-9857 MEDIUM This Month

Authorization bypass in the Invoice123 WordPress plugin (versions up to and including 1.7.0) permits authenticated attackers holding only subscriber-level accounts to overwrite the plugin's external API key, modify invoice configuration settings, and directly alter WooCommerce tax rate records in the database. The root cause is absent capability checks in the plugin's admin-page handlers, meaning low-privilege users can invoke privileged administrative actions over the network. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2026-13710 MEDIUM This Month

Stored Cross-Site Scripting in Jeg Elementor Kit for WordPress versions through 3.2.6 enables authenticated Contributors to inject persistent malicious scripts via the Image Box widget's description field. The root cause is a deliberate inconsistency in the render_body() method of Image_Box_View: every other attribute is sanitized with esc_attr(), but sg_body_description is concatenated raw into HTML body context. Any user who visits a page containing the injected widget executes the payload, enabling session hijacking and potential escalation to Administrator. No public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.4%
CVE-2026-13247 MEDIUM This Month

Stored Cross-Site Scripting in the Logo Slider WordPress plugin (all versions through 5.5) allows authenticated contributors to inject persistent JavaScript payloads via the 'lgx_tooltip_position' parameter, executing in the browser of any user who subsequently visits an affected page. The CVSS scope change (S:C) reflects that injected scripts execute in victim browser contexts - enabling session hijacking or privilege escalation against higher-privileged users including site administrators. No public exploit or CISA KEV listing has been identified at time of analysis, though the low attack complexity and the breadth of contributor-level accounts on WordPress sites make this a realistic risk for multi-author installations.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-13010 MEDIUM This Month

Time-based SQL injection in the JoomSport WordPress plugin (all versions through 5.7.9) enables authenticated contributors to exfiltrate sensitive database contents via unsanitized 'event' shortcode attributes. The flaw exists in at least two code paths - joomsport-shortcodes.php and class-jsport-getplayers.php - where user-supplied shortcode parameters are interpolated into SQL queries without parameterization or adequate escaping. Because WordPress Contributor-level users can embed shortcodes in posts and pages, the effective attacker pool includes any registered user granted that role, broadening realistic exposure beyond typical authenticated-only flaws. No public exploit code or CISA KEV listing identified at time of analysis, but a patch commit (changeset 3594276) is referenced in the plugin repository.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-12918 MEDIUM This Month

Second-order SQL injection in Mail Mint WordPress plugin (all versions ≤ 1.24.1) allows authenticated administrators to exfiltrate arbitrary data from the WordPress database via the 'recipients' parameter in the campaign REST API. The attack exploits a two-stage flaw: a malicious SQL payload bypasses int-cast input validation at write time and persists unsanitized, then fires during a subsequent campaign retrieval request that passes the raw value into an unparameterized query. No public exploit or CISA KEV listing has been identified at time of analysis; real-world risk is moderated by the required administrator-level authentication.

WordPress SQLi
NVD
CVSS 3.1
4.9
EPSS
0.5%
CVE-2026-11990 MEDIUM This Month

Authorization bypass in the KiviCare WordPress EHR plugin (all versions through 4.4.0) allows unauthenticated network attackers to confirm arbitrary pending clinic appointments and inject forged payment records into the wp_kc_payments_appointment_mappings table using attacker-supplied payment IDs, completely circumventing the payment collection process. The root defect is a two-part failure: the appointments API controller does not verify user authorization before processing status changes, and the KCPaymentGatewayFactory returns all registered gateways regardless of admin-enabled status - meaning the KCPayLater manual-payment gateway is always selectable, even by unauthenticated callers on default installations. No public exploit or CISA KEV listing exists at time of analysis, though the trivially low attack complexity makes scripted abuse realistic.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.6%
CVE-2026-9838 MEDIUM This Month

Reflected XSS in the ICS Calendar WordPress plugin (all versions ≤ 12.0.9) allows unauthenticated network attackers to inject arbitrary JavaScript into victim browsers by exploiting a missing nonce check and input sanitization failure on the publicly accessible wp_ajax_nopriv_r34ics_ajax AJAX endpoint. The attacker-controlled js_args object is merged over stored shortcode configuration before allowlist validation, enabling the htmltagtitle key to reach the calendar-month.php template unescaped. No public exploit code or CISA KEV listing exists at time of analysis, though the scope-changing CVSS vector (S:C) and zero authentication barrier make socially engineered delivery via crafted URLs a realistic threat to any site running this plugin.

WordPress XSS Ics Calendar
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-15026 MEDIUM This Month

Sensitive information exposure in the Import and Export Users and Customers WordPress plugin (all versions ≤ 2.4.0) allows any authenticated subscriber-level user to enumerate and extract the post_title and raw post_content of arbitrary posts regardless of visibility status or post type. Affected content includes drafts, private posts, password-protected entries, future-scheduled posts, trashed items, and non-public custom post types such as WooCommerce orders and internal CRM records. The exploit barrier is exceptionally low: the required security nonce is leaked as inline JavaScript on any wp-admin page reachable by subscribers. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis.

Authentication Bypass WordPress Information Disclosure Import And Export Users And Customers
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-11992 MEDIUM This Month

Authorization bypass in the Easy Appointments WordPress plugin (all versions up to and including 3.12.27) permits any authenticated user holding the Author role or above to mass-cancel every future appointment across the entire site by exploiting a missing capability check on the plugin's AJAX cancellation handler. The attack is made trivially accessible because the nonce required to authenticate the cancellation request is rendered directly on the Appointments admin page, which is gated only by the `edit_posts` capability that Authors possess by default. No public exploit has been identified at time of analysis, but the low privilege barrier and deterministic exploit path present a high-consequence business-disruption risk for any organization running booking workflows on affected installations.

Authentication Bypass WordPress Easy Appointments
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2025-11977 MEDIUM This Month

Local File Inclusion in the Happyforms WordPress plugin (all versions through 1.26.12) allows authenticated administrators to include and execute arbitrary PHP files on the server via the happyforms_get_form_partial() function, enabling full remote code execution when the attacker can also upload PHP files. The vulnerability is rooted in unsanitized filename handling (CWE-98) within the form template rendering logic, as evidenced by the affected files class-wp-customize-form-manager.php and helper-form-templates.php. No public exploit code or CISA KEV listing has been identified at time of analysis, and the Administrator-level access prerequisite substantially limits the realistic attacker population.

WordPress LFI RCE PHP Information Disclosure +1
NVD VulDB
CVSS 3.1
6.6
EPSS
0.5%
CVE-2026-12955 MEDIUM This Month

Unauthorized modification of cookie scan schedule configuration in the GDPR Cookie Consent WordPress plugin (versions up to 4.3.6) is achievable by any authenticated subscriber-level user. The vulnerability stems from a dual failure - absent capability check and absent nonce verification - on the wp_ajax_gcc_save_schedule_scan AJAX action, allowing low-privileged users to overwrite the gdpr_scan_schedule_data option that is administratively intended to require manage_options capability. No public exploit has been identified and the flaw is not listed in CISA KEV; a patched version (4.3.7) is available via the plugin's SVN repository.

Authentication Bypass WordPress Cookie Banner For Gdpr Ccpa Wplp Cookie Consent
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-6440 MEDIUM This Month

Cross-Site Request Forgery in the GoodMeet WordPress plugin (versions up to and including 1.1.8) enables unauthenticated remote attackers to wipe a site's stored Google Meet API credentials and OAuth tokens by deceiving a logged-in administrator into triggering a crafted request. The vulnerable reset_credential() function handling the wp_ajax_goodmeet_reset_google_meet_credential AJAX action checks the manage_options capability but omits mandatory WordPress nonce validation, allowing any cross-origin request to be processed as legitimate. The practical outcome is complete disabling of the site's Google Meet integration with no data disclosure; no public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog.

WordPress CSRF Google Goodmeet Google Meet Integration For Webinar Meeting Video Conference
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12400 MEDIUM This Month

Insecure Direct Object Reference in the FlowForms - Conversational Form Builder WordPress plugin (all versions through 1.1.1) allows authenticated contributors to modify, publish, or revert any form on the site - including forms owned by administrators - by supplying an arbitrary form ID to the unvalidated REST API update_form endpoint. Wordfence reported this flaw, and a fix changeset exists in the WordPress plugin SVN repository, though an explicit patched release version is not independently confirmed. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass WordPress Flowforms Conversational Form Builder
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-6802 MEDIUM This Month

Unauthenticated media library attachment deletion affects the Easy Upload Files During Checkout WordPress plugin through version 3.0.1, enabling any remote visitor to permanently destroy arbitrary files from the site's media library with no credentials. The root cause is CWE-639: the ufdc_custom_init() hook processes a user-controlled 'eufdc-delete' parameter without nonce verification, capability checks, or attachment ownership validation, reducing authorization to a trivial parameter-guessing exercise against sequential WordPress attachment IDs. No public exploit code or CISA KEV listing has been identified, but the attack requires zero prerequisites beyond plugin presence, making it trivially reproducible.

Authentication Bypass WordPress Easy Upload Files During Checkout
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-1946 MEDIUM This Month

Unauthorized GravityWrite disconnection in the GW AI Website Builder WordPress plugin (versions ≤ 1.0.1) is achievable by any authenticated subscriber-level user due to a missing capability check on the gwaiwebu_gravitywrite_disconnect_handler() AJAX function. The flaw allows low-privilege WordPress accounts to sever the plugin's integration with the GravityWrite AI service, degrading AI-powered site-building functionality for all users. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; impact is confined to service integrity disruption rather than data exfiltration or code execution.

Authentication Bypass WordPress Gw Ai Website Builder
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14475 MEDIUM This Month

SQL Injection in the Cookie Banner for GDPR/CCPA - WPLP Cookie Consent WordPress plugin (versions up to and including 4.3.6) enables authenticated administrators to append arbitrary SQL to existing queries via the unsanitized 'scan_id' parameter in the cookie scanner module. Exploitation is constrained to administrator-level accounts (PR:H per CVSS vector), making this a privileged read-only database extraction flaw rather than a broad remote attack surface. No public exploit code or CISA KEV listing has been identified at time of analysis; a patch commit is referenced in the WordPress plugin repository changeset.

WordPress SQLi Cookie Banner For Gdpr Ccpa Wplp Cookie Consent
NVD VulDB
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-12924 MEDIUM This Month

Stored cross-site scripting in the Eventin WordPress event management plugin (all versions through 4.1.15) lets any contributor-level user permanently embed malicious JavaScript in event FAQ sections via the unescaped `etn_faq_content` parameter. The CVSS scope change (S:C) confirms the impact crosses the attacker's security context - injected scripts execute in any visitor's browser who loads the affected event page, enabling session hijacking or credential harvesting of higher-privileged users including site administrators. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the low attack complexity and commonly granted contributor role make this a credible insider-threat risk on multi-user WordPress installations.

WordPress XSS Eventin Event Calendar Event Registration Tickets Booking Ai Powered
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-3907 MEDIUM This Month

Stored Cross-Site Scripting in the Hostel WordPress plugin (all versions through 1.1.7) permits authenticated Contributor-level users to permanently inject arbitrary JavaScript into WordPress pages via the second attribute of the `wphostel-book` shortcode, which is passed unsanitized to the `$text` variable and rendered raw into an HTML `value` attribute without `esc_attr()` escaping. Any user who subsequently views an injected page will execute the attacker's payload in their browser, enabling session hijacking or privilege escalation against higher-privileged site users. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; the primary risk is to WordPress sites that grant Contributor access to untrusted or semi-trusted users.

WordPress XSS Hostel
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12108 MEDIUM This Month

Stored Cross-Site Scripting in the Highlighting Code Block WordPress plugin (versions ≤ 2.2.0) allows authenticated attackers holding administrator-level permissions to inject persistent malicious scripts via the plugin's admin settings panel, with those scripts executing in the browsers of any user who subsequently visits an affected page. Exploitation is constrained to WordPress multi-site network installations or single-site deployments where the unfiltered_html capability has been explicitly disabled - conditions that are non-default and substantially narrow the attacker population. No public exploit code or active exploitation has been identified at time of analysis; Wordfence, the reporting source, has published a fix commit to the plugin's SVN repository, though a specific patched release version is not yet confirmed.

WordPress XSS Highlighting Code Block
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-15104 MEDIUM This Month

SQL Injection in the BetterDocs WordPress plugin (versions up to and including 4.6.0) enables authenticated attackers holding at minimum a custom-level WordPress role to append arbitrary SQL to existing queries via the unsanitized `lang` parameter, extracting sensitive data from the underlying database. The attack surface is restricted to sites where one of five specific multilingual plugins (WPML, Polylang, qTranslate, Weglot, or TranslatePress) is active, as the vulnerable code path is guarded by `Helper::is_multilingual_active()`. No public exploit identified at time of analysis; EPSS data unavailable, and the CVE is not listed in CISA KEV.

WordPress SQLi Betterdocs Ai Documentation Knowledge Base Docs Wikis Faq With Chatbot
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13347 HIGH This Week

Arbitrary file read in the Hide My WP Lite WordPress plugin (versions ≤ 1.3) lets unauthenticated attackers disclose any file readable by the web server - including wp-config.php with database credentials and secret keys - by abusing the he_wrapper_js and he_wrapper_css parameters handled by elementor_assets_filter(). Reported by Wordfence and rated CVSS 7.5, the flaw is confidentiality-only but exposes crypto salts and DB secrets that enable deeper compromise. There is no public exploit identified at time of analysis, and exploitation depends on the site also running Elementor with the plugin's 'Hide Elementor' feature enabled.

WordPress Path Traversal Hide My Wp Lite
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-12685 HIGH POC This Week

The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoor that lets an unauthenticated attacker who supplies a hard-coded, per-build key permanently delete all of the site's content, and that covertly transmits the site URL, administrator email address, and license key to a third-party server.

WordPress Information Disclosure Escortwp
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-12276 MEDIUM POC PATCH This Month

Unauthenticated account registration bypass in the LA-Studio Element Kit for Elementor WordPress plugin (all versions before 1.6.1) allows remote, unauthenticated attackers to create WordPress user accounts on sites where site-wide registration has been explicitly disabled by the administrator. The vulnerable component is an unauthenticated AJAX action handler that omits the standard WordPress registration-status check, effectively nullifying an administrative security control. A publicly available proof-of-concept exists via WPScan, and a vendor patch is available in version 1.6.1; no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.

WordPress Information Disclosure La Studio Element Kit For Elementor
NVD WPScan
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-12123 MEDIUM This Month

Server-Side Request Forgery in the All-in-One Video Gallery WordPress plugin (all versions through 4.8.5) enables a two-stage attack where a subscriber-level authenticated user plants an internal or loopback URL into a video post's mp4 meta field via the XML-RPC wp.newPost method, then any unauthenticated party can trigger the ?vdl=<post_id> endpoint to force the server to fetch that URL and stream the full response body - enabling reconnaissance of internal services including cloud metadata endpoints. The CVSS scope change (S:C) captures the critical decoupling: subscriber-level credentials are needed only for setup, while the actual SSRF trigger requires no authentication at all. No public exploit identified at time of analysis, though the Wordfence advisory documents the complete attack chain with specific code line references.

WordPress SSRF All In One Video Gallery
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15302 MEDIUM This Month

Path traversal via the unsanitized 'X-FILENAME' HTTP header in the ARMember WordPress membership plugin allows unauthenticated remote attackers to upload and overwrite files outside the intended 'wp-content/uploads/armember' directory on affected WordPress installations running versions 4.0.27 and earlier. The integrity impact is limited by the plugin's handling of 'certain files (e.g., CSS)' rather than arbitrary file types, capping the CVSS score at 5.3 Medium; however, successful exploitation can enable website defacement or manipulation of frontend assets without any authentication. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

WordPress Path Traversal
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-15301 MEDIUM This Month

Stored Cross-Site Scripting in the BuddyHolis TableSearch plugin for WordPress (all versions ≤1.1.0) permits authenticated attackers holding Contributor-level or higher role access to inject persistent JavaScript via the 'placeholder' parameter, which then executes in the browsers of every subsequent visitor to the affected page. The Scope:Changed CVSS metric reflects that payload impact crosses from the WordPress plugin into victims' browser environments, enabling session hijacking, credential theft, or administrative account takeover if an administrator views the injected page. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the low authentication bar makes this relevant for any WordPress site permitting open contributor registration.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15300 CRITICAL Act Now

Unauthenticated SQL injection in the GEO my WP WordPress plugin (versions ≤ 4.5.4) lets remote attackers inject SQL through the numeric 'distance', 'lat', and 'lng' parameters of the proximity-search feature. Because the values are parsed from the raw query string and only passed through esc_sql() at unquoted numeric positions, payloads such as `1 OR SLEEP(3)` execute directly against the database. No public exploit is identified at time of analysis, and the flaw is not listed in CISA KEV, but the network, no-auth attack profile makes it a high patching priority.

WordPress SQLi PHP
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-15299 MEDIUM This Month

Stored Cross-Site Scripting in the Animation Addons for Elementor WordPress plugin (all versions through 2.6.3) enables authenticated attackers with Contributor-level access to permanently inject arbitrary JavaScript into pages using the Weather widget. The payload renders unescaped for every subsequent visitor, enabling session hijacking, credential theft, or admin-context privilege escalation without further attacker interaction. No CISA KEV listing and no public exploit code have been identified at time of analysis, but the low attack complexity combined with scope change to victims' browsers makes this a credible risk for multi-author WordPress deployments running this plugin with the Weather widget actively configured.

WordPress XSS PHP
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15298 HIGH This Week

DOM-based cross-site scripting in the TelSender WordPress plugin (all versions through 1.14.14) lets unauthenticated attackers plant a malicious payload inside a Telegram chat title that the plugin renders unsanitized. When an administrator opens the TelSender settings page and clicks the 'Tested' button, the plugin processes the attacker-controlled Telegram API response and executes the injected script in the admin's authenticated browser session. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the scope-changed CVSS 7.2 reflects execution in the privileged admin context.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-15297 MEDIUM This Month

Reflected Cross-Site Scripting in the Brevo (formerly Sendinblue) Newsletter, SMTP, Email marketing and Subscribe forms WordPress plugin allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in victims' browsers through a crafted URL containing a malicious payload in the `page` parameter. All plugin versions up to and including 3.1.77 are affected, with the root flaw traced to insufficient input sanitization and output escaping in `inc/table-forms.php` at line 102. No active exploitation has been confirmed in CISA KEV, and no POC code is identified in the provided data, though the CVSS scope-change rating (S:C) elevates the effective impact beyond the plugin's own context.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-15296 MEDIUM This Month

Stored Cross-Site Scripting in the affiliate-toolkit WP Affiliate Plugin with Amazon (versions through 3.7.0) allows authenticated contributors to inject persistent malicious scripts via the 'atkp_product' shortcode due to unsanitized user-supplied attributes. This represents a bypass of the previously patched CVE-2024-10227, indicating the prior fix was incomplete. Any WordPress user - including administrators - who loads a page containing the injected shortcode will execute the attacker's script in their browser, enabling session theft, credential harvesting, or unauthorized admin actions. No public exploit or CISA KEV listing is identified at time of analysis.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-15293 HIGH This Week

Privilege escalation in the WP Business Intelligence Lite WordPress plugin (all versions through 3.2.0) allows authenticated Subscriber-level users to tamper with stored SQL queries because the plugin fails to enforce a capability/authorization check on the query-modification action (CWE-862). When an administrator later views the maliciously altered query, the attacker's arbitrary SQL executes in the admin context, enabling account takeover or full site compromise. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; it was reported through the Wordfence threat intelligence program.

Authentication Bypass WordPress Privilege Escalation
NVD
CVSS 3.1
8.0
EPSS
0.3%
CVE-2026-15292 MEDIUM This Month

Stored Cross-Site Scripting in the Sudoku Shortcode WordPress plugin (all versions through 1.0.0) allows authenticated Contributors to inject persistent malicious scripts via the unsanitized 'background' parameter of the 'sudoku-sc' shortcode. Once injected into a page or post, the payload executes in the browser of every subsequent visitor, including administrators, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, though Wordfence has catalogued the vulnerability in their threat intelligence database.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15291 HIGH This Week

{id} REST endpoints, which ship with no authentication or authorization checks. Any anonymous visitor can harvest customer PII - names, emails, phone numbers, WhatsApp message contents, full geolocation (IP, city, country, ISP, coordinates), device fingerprints, and even WordPress account details (user IDs, usernames, emails) for logged-in users who submitted the form. There is no public exploit identified at time of analysis and it is not on CISA KEV, but exploitation is trivial and requires only an HTTP client.

Authentication Bypass WordPress Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-15290 HIGH This Week

Blind SQL injection in the Ultimate Member WordPress plugin (all versions through 2.10.1) lets unauthenticated attackers inject arbitrary SQL through the member-directory search parameter, enabling extraction of sensitive database contents such as password hashes and user records. The flaw is a residual gap from the earlier CVE-2025-0308 fix, which was only partially remediated in 2.9.2. No public exploit has been identified at time of analysis, but the plugin's large install base and unauthenticated network reachability make it an attractive target.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-15289 MEDIUM This Month

Time-based SQL Injection in the Booking Calendar, Appointment Booking System WordPress plugin (versions ≤ 3.2.17) permits unauthenticated remote attackers to extract sensitive database contents via the 'wpdevart_id' parameter. The flaw exists in main_class.php due to insufficient parameter escaping and unprepared SQL queries, but is only triggerable when the Pro version is installed with the 'Delete previous dates' option enabled - a non-default configuration that meaningfully limits the exposed population. No public exploit code and no CISA KEV listing have been identified at time of analysis; the CVSS 5.9 Medium rating reflects both the high confidentiality impact and the high attack complexity imposed by the conditional prerequisites.

WordPress SQLi
NVD
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-15288 HIGH This Week

Payment amount tampering in the SureForms WordPress plugin (versions ≤ 2.2.1) lets unauthenticated attackers submit arbitrary prices when completing Stripe checkout. Because the 'create_payment_intent' and 'create_subscription_intent' handlers trust the amount supplied in user-controlled POST data instead of the form's server-side configured price, an attacker can purchase products or subscriptions for a fraction of their real cost. Reported by Wordfence and fixed in 2.2.2; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-15287 MEDIUM This Month

Time-based blind SQL injection in the rtMedia for WordPress, BuddyPress and bbPress plugin (versions up to and including 4.6.18) allows authenticated attackers with subscriber-level access or higher to exfiltrate sensitive data from the WordPress database via the `order_by` parameter. The low authentication bar - any registered user qualifies - combined with a network-accessible attack vector and high confidentiality impact makes this a meaningful risk for community or membership sites with open user registration enabled. No public exploit code or CISA KEV listing has been identified at time of analysis, but the technique (time-based blind SQLi) is well-understood and requires no specialized tooling.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-15286 MEDIUM This Month

Unauthorized post publication in Kadence Blocks (Gutenberg Blocks with AI by Kadence WP) versions up to and including 3.5.32 allows authenticated WordPress contributors to immediately publish posts, pages, and custom post types - entirely bypassing the platform's standard contributor review workflow. The flaw stems from a misconfigured capability check in the `get_items_permission_check` permission callback on the `process_pattern` REST API endpoint (CWE-863: Incorrect Authorization). No active exploitation is confirmed via CISA KEV, no public POC has been identified, and the CVSS score of 4.3 reflects a limited integrity-only impact with no confidentiality or availability consequences.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-15285 MEDIUM This Month

Stored Cross-Site Scripting in The Plus Addons for Elementor WordPress plugin (versions through 6.4.11) allows authenticated contributors to inject persistent malicious scripts into pages via the Button widget's `custom_attributes` parameter. The root cause is a bypassable sanitization filter (`tp_senitize_js_input()`) in `modules/widgets/tp_button.php` that fails to properly neutralize HTML/JS content before rendering. When an administrator or other privileged user subsequently views an affected page, the stored payload executes in their browser context, enabling session hijacking or unauthorized administrative actions. No public exploit identified at time of analysis; patch is available in version 6.4.12.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-15284 MEDIUM This Month

Stored Cross-Site Scripting in King Addons for Elementor (WordPress plugin, versions ≤51.1.62) allows authenticated attackers with subscriber-level access to inject persistent JavaScript into the WordPress admin submissions panel. The flaw stems from a two-stage sanitization failure: `sanitize_text_field()` applied during form submission storage preserves double-quote characters in `form_page_id`, and the downstream `king_addons_submissions_custom_column_content()` function then concatenates that stored value into an HTML `href` attribute via `admin_url()` without wrapping the result in `esc_url()`. No public exploit or CISA KEV listing exists at time of analysis; EPSS data was not provided in the input.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-15283 MEDIUM This Month

Stored Cross-Site Scripting in the WPvivid Backup for MainWP WordPress plugin (all versions up to and including 0.9.33) allows authenticated administrators to inject persistent malicious scripts via plugin settings fields, which then execute in any user's browser upon visiting an affected page. Exploitation is constrained to WordPress multi-site environments or single-site installs where the unfiltered_html capability has been explicitly disabled, and requires an attacker to already hold administrator-level credentials. No public exploit code has been identified at time of analysis, and the CVSS 4.4 Medium score reflects both the high privilege bar and the specialized deployment conditions required.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-15282 CRITICAL Act Now

Unauthenticated arbitrary file upload in the Instant Appointment WordPress plugin (all versions ≤ 1.2) lets remote attackers upload files of any type through the 'insapp_upload_image_as_attachment' function, which lacks file-type validation, potentially enabling remote code execution by planting a PHP webshell. Any WordPress site running the plugin is exploitable without authentication or user interaction, matching its 9.8 CVSS rating. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

WordPress RCE File Upload
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-11818 MEDIUM This Month

Authorization bypass in the WPCafe WordPress plugin (all versions through 3.0.14) allows any authenticated subscriber-level user to fully manage email notification flow workflows that are intended to be administrator-only. The FlowAPI REST endpoints bundled within the plugin's email notification SDK rely solely on a wp_rest nonce for access control - a token freely obtainable from the frontend page source by any logged-in user - completely bypassing role-based authorization. No public exploit or active exploitation has been identified at time of analysis, though the low exploitation complexity makes this a realistic risk on sites with open user registration.

Authentication Bypass WordPress Wpcafe Restaurant Menu Online Food Ordering Table Booking System
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-11392 MEDIUM This Month

Reflected cross-site scripting in the WP Hotel Booking WordPress plugin (all versions up to and including 2.3.1) permits unauthenticated remote attackers to inject arbitrary JavaScript via the check_in_date and check_out_date URL parameters across multiple search result and Elementor widget templates. Successful exploitation requires tricking a victim into clicking a crafted link, after which the injected script executes in the victim's browser context - making logged-in administrators particularly high-value targets. No public exploit has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.

WordPress XSS Wp Hotel Booking
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-13430 HIGH This Week

Remote code execution in the Post Export Import with Media WordPress plugin (all versions ≤ 1.13.1) is possible because a trailing-dot filename bypass (e.g. 'shell.php.') defeats the extension allow-list in ajax_import_media_start(), letting an administrator-level user smuggle an executable PHP file into the uploads directory during a media import. Reported by Wordfence, the flaw carries CVSS 7.2 and has no public exploit identified at time of analysis; exploitation requires existing administrator (PR:H) access, making it primarily a hardening/defense-in-depth bypass rather than a mass-exploitable entry point.

WordPress PHP RCE File Upload Post Export Import With Media
NVD
CVSS 3.1
7.2
EPSS
0.6%
CVE-2026-15070 HIGH This Week

Remote code execution in the Salon Booking System - Free Version WordPress plugin (all versions ≤ 10.30.32) lets a remote attacker write attacker-controlled PHP into the plugin's web-accessible translate-constants.php file by abusing the unprotected setCustomText AJAX handler. Because the handler lacks proper nonce validation (CWE-352 CSRF), an unauthenticated attacker who tricks a logged-in administrator into clicking a crafted link can achieve full server-side code execution. Reported by Wordfence with a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not on CISA KEV.

WordPress CSRF RCE PHP Salon Booking System Free Version
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-14894 CRITICAL Act Now

Unauthenticated remote code execution in the Super Forms - Drag & Drop Form Builder WordPress plugin (all versions through 6.3.313) allows attackers to upload executable files via the nopriv submit_form AJAX handler, which lacks both file-type validation (CWE-434) and any capability check. The plugin's only guardrail is a session nonce, but the companion super_create_nonce nopriv action lets any visitor mint a valid sf_nonce and session cookie on demand, collapsing the attack to two unauthenticated HTTP requests. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivial exploitability make this a high-priority patch item.

WordPress RCE File Upload Super Forms Drag Drop Form Builder
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-5069 MEDIUM This Month

Incorrect authorization in the Fluent Forms WordPress plugin (versions up to and including 6.2.1) enables any authenticated subscriber-level user to cancel payment subscriptions belonging to other users by supplying an arbitrary 'subscription_id' in the payment cancellation AJAX endpoint. The payment cancellation flow performs no ownership check - only that the user is authenticated - making this a classic IDOR (Insecure Direct Object Reference) under CWE-863. No public exploit code has been identified at time of analysis, and the flaw is not listed in CISA KEV, but the low bar for exploitation (any registered site account) raises practical risk for sites using Fluent Forms payment/subscription features.

Authentication Bypass WordPress Fluent Forms Customizable Contact Forms Survey Quiz Conversational Form Builder
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-12598 HIGH This Week

Authentication bypass in the LoginPress Pro WordPress plugin (versions ≤ 6.2.3) lets unauthenticated attackers log in as any existing user - including Administrators - when the Spotify Social Login addon is enabled. The flaw stems from the plugin trusting the unverified email returned by Spotify's /v1/me endpoint to match and authenticate a WordPress account, so an attacker who registers a Spotify account with a victim's email gains that victim's session. No public exploit has been identified at time of analysis; CVSS is 8.1 with attack complexity rated High due to the required addon configuration.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-12597 HIGH This Week

Authentication bypass in the LoginPress Pro WordPress plugin (versions up to and including 6.2.3) lets unauthenticated attackers hijack any existing account, including administrators, by abusing the GitHub OAuth social-login callback. The loginpress_on_github_login() function binds the login session to profile[0]['email'] from GitHub's /user/emails endpoint without checking the verified flag, so an attacker who adds an unverified email matching a victim's account and triggers the callback can be logged in as that user. This maps to CWE-287 and carries a CVSS 8.1; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-12595 HIGH This Week

Authentication bypass in the LoginPress Pro WordPress plugin (versions ≤ 6.2.3) lets unauthenticated attackers hijack any existing account - administrators included - by exploiting the Discord OAuth login handler, which trusts the email returned by Discord without checking Discord's verified flag. An attacker who knows a target's WordPress email registers a Discord account with that same (unverified) email and completes the normal OAuth flow to receive an authenticated session as the victim. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw was reported by Wordfence and is a full account-takeover primitive.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-13492 HIGH This Week

Arbitrary file deletion in the UsersWP WordPress plugin (versions ≤ 1.2.65) lets authenticated Subscriber-level users delete any file on the server, including wp-config.php, which can escalate into full site takeover. The flaw stems from unsanitized directory-traversal sequences in file-field metadata reaching an unlink() call in the upload_file_remove() AJAX handler. Reported by Wordfence with no public exploit identified at time of analysis and no active-exploitation (KEV) listing; an upstream code fix is available.

WordPress Path Traversal
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-9253 HIGH This Week

Stored cross-site scripting in the WP Cost Estimation & Payment Forms Builder (E&P Forms) WordPress plugin (Loopus) affects all versions through 10.5.97 and lets unauthenticated attackers persist arbitrary JavaScript via the 'customerInfos' parameter that fires when any user later views the injected page. Reported by Wordfence with a CVSS 3.1 base score of 7.2 (scope-changed), this is a persistent, no-authentication injection primitive rather than a reflected one. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is not confirmed in the wild.

WordPress XSS Wp Cost Estimation Payment Forms Builder
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-12428 MEDIUM This Month

Unauthorized data disclosure in the Blocks for ACF Fields WordPress plugin (versions up to and including 1.6.2) allows any authenticated user holding the Author role or above to read ACF field values from arbitrary WordPress objects - including private posts, drafts, and posts owned by other users - via an insecure REST API endpoint. The flaw stems from the REST handler accepting a user-supplied post ID and passing it directly to get_field_objects() without verifying whether the requester holds read permission on that specific object, a classic object-level authorization failure (CWE-862). Reported by Wordfence; no CISA KEV listing and no standalone public exploit code identified at time of analysis, though exploitation is operationally trivial for any attacker with a valid Author-level WordPress account.

Authentication Bypass WordPress Blocks For Acf Fields Display Custom Fields In The Block Editor
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-9021 MEDIUM This Month

Unauthenticated remote manipulation of published business quotes is possible in the Easy Invoice WordPress plugin (versions up to and including 2.1.19) due to missing authorization on AJAX endpoints. The plugin registers quote acceptance and decline actions via wp_ajax_nopriv_ hooks - making them reachable without credentials - while the only gate is a per-quote nonce that is embedded directly in the publicly viewable single-quote template. The ownership restriction that would prevent non-owners from acting on quotes is controlled by an off-by-default Pro feature flag, meaning the overwhelming majority of free-tier deployments are fully exposed to arbitrary quote status manipulation, including automatic invoice generation and client email dispatch. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication Bypass WordPress Easy Invoice Invoice Generator Pdf Quotes Payments
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-9237 MEDIUM This Month

Authorization bypass in the Crew HRM WordPress plugin (all versions ≤ 1.2.2) allows any authenticated subscriber-level user to delete, archive, unarchive, and duplicate arbitrary job listings - including associated stages, metadata, addresses, and applications - by supplying an arbitrary integer job_id. The nonce that nominally gates these actions via Dispatcher::dispatch() is deliberately exposed to every authenticated frontend visitor through wp_head script localization, making the bypass trivially reproducible by any user with a WordPress account. No public exploit code or active exploitation has been identified at time of analysis, and no KEV listing exists; however, the nonce leak collapses the practical access barrier to subscriber level.

Authentication Bypass WordPress Employee Leave And Recruitment Management System Crew Hrm
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9235 MEDIUM This Month

Unauthorized shipping label manipulation in DHL eCommerce (Benelux) for WooCommerce versions up to 2.2.3 allows any authenticated WordPress user - down to Subscriber level - to create or delete DHL shipping labels for any WooCommerce order site-wide. The two vulnerable AJAX handlers lack both capability verification and nonce (CSRF token) checks, meaning the attacker-supplied order ID is acted upon without confirming the caller has order management rights. No public exploit is identified and this is not listed in CISA KEV, but the low authentication bar (any registered user) and operational impact on fulfillment make this a meaningful risk for Benelux e-commerce stores with open user registration.

Authentication Bypass WordPress Dhl Ecommerce Benelux For Woocommerce
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14372 HIGH This Week

Arbitrary file deletion in the Bit Form WordPress plugin (all versions through 3.1.1) lets low-privileged authenticated users delete any file on the server via an unsanitized path passed to the deleteFiles function. Because a subscriber-level attacker can remove critical files such as wp-config.php, this path traversal escalates into a full site takeover / remote code execution scenario. Reported by Wordfence with a CVSS of 7.1; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Path Traversal RCE Bit Form Contact Form Payment Forms Multi Step Forms Calculator Custom Form Builder
NVD
CVSS 3.1
7.1
EPSS
0.7%
CVE-2026-4275 HIGH This Week

Cross-Site Request Forgery in the Divi Torque Lite WordPress plugin (versions ≤ 4.2.3) lets remote attackers install and activate arbitrary plugins by tricking a logged-in administrator into loading a malicious page. The plugin registers its /install_plugin and /activate_plugin REST routes with '__return_true' as the permission_callback, which suppresses WordPress's REST nonce check so a forged request rides the admin's session cookies past the internal capability check. No public exploit is identified at time of analysis, but installing an attacker-supplied plugin yields effective remote code execution on the site.

WordPress CSRF Divi Torque Lite Divi Modules For The Divi Builder Theme
NVD
CVSS 3.1
8.8
EPSS
0.2%
EPSS 0% CVSS 5.3
MEDIUM This Month

Permanent, irreversible deletion of all Starter Template-imported site content in the Solace Extra WordPress plugin (all versions through 1.5.3) is achievable by fully unauthenticated network attackers due to the complete absence of authorization checks on the responsible AJAX handler. The handler is registered via wp_ajax_nopriv_, removing WordPress's authentication gate entirely, while the required nonce is leaked to any Subscriber-level user visiting any wp-admin page - eliminating both authentication and authorization barriers simultaneously. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the Wordfence disclosure includes exact file and line references enabling straightforward reproduction; the official CVSS score of 5.3 significantly understates the destructive impact.

Authentication Bypass WordPress PHP +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized affiliate management actions in the Affilia plugin for WordPress (all versions through 3.3.3) allow any subscriber-level authenticated user to approve or reject referrals, credit commissions to affiliate wallets, delete referral records, and modify banner options - enabling direct financial fraud against WooCommerce stores. The root cause is that the sole authentication gate relies on a WordPress nonce that is publicly embedded in every frontend page load via the JavaScript global `rtwalwm_global_params.rtwalwm_nonce`, making role-based access enforcement trivially bypassable. No public exploit code or CISA KEV listing is identified at time of analysis, but the low exploitation complexity and direct financial fraud impact make this a meaningful operational risk for any site running an affiliate program on this plugin.

Authentication Bypass WordPress Affiliate Program Referral Tracking For Woocommerce Wordpress Affilia
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Themify Builder WordPress plugin (all versions through 7.7.6) enables authenticated attackers holding contributor-level access or higher to persist arbitrary JavaScript via the Map Module's `b_width_map` field. Because the scope changes (S:C in CVSS), the injected payload executes inside every subsequent visitor's browser context - enabling session hijacking, credential theft, or administrative account takeover against any user who views an affected page. No public exploit code has been identified and this vulnerability is not listed in CISA KEV, but the low exploitation complexity and network-accessible attack surface make it a meaningful risk on sites with open or broad contributor registration.

WordPress XSS Themify Builder
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Starboard Suite Reservation Calendars WordPress plugin (all versions through 3.1.4) allows authenticated attackers with Contributor-level access to inject persistent malicious JavaScript via unescaped shortcode attributes in the [starboard-suite-lightbox] shortcode. Any site visitor who loads a page containing the injected shortcode will execute the attacker's script in their browser, enabling session hijacking, credential theft, or malicious redirects against potentially higher-privileged users such as site administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor) and scope change to victim browsers make this a meaningful risk on multi-author WordPress sites.

WordPress XSS Starboard Suite Reservation Calendars
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the PDF Invoices & Packing Slips for WooCommerce plugin (versions through 5.14.0) allows authenticated contributors to mint permanent, session-free download links for arbitrary third-party orders, exposing customer PII including names, billing and shipping addresses, email addresses, phone numbers, line items, payment details, and customer notes. Exploitation is gated on a non-default plugin setting - the 'Document link access type' must be configured to 'full' rather than the default 'logged_in'; the default configuration signs URLs with a per-session nonce, neutralising the attack path. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass WordPress Pdf Invoices Packing Slips For Woocommerce
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Arbitrary local file disclosure in the Planyo Online Reservation System WordPress plugin (all versions through 3.0) lets unauthenticated remote attackers read any server-side file. The ulap.php AJAX proxy is reachable without WordPress bootstrapping or authentication and validates only the URL host against an allowlist, not the scheme, so a file://localhost/ URL passes the check and is fetched via curl/fopen. Reported by Wordfence with no public exploit identified at time of analysis; sensitive targets include wp-config.php database credentials and /etc/passwd.

WordPress SSRF PHP +1
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Print, PDF, Email by PrintFriendly WordPress plugin (versions through 5.5.10) allows authenticated administrators to inject persistent JavaScript via the 'content_position_css' parameter, which executes in the browsers of any user who visits an affected page. The scope change (S:C) in the CVSS vector confirms the injected script breaks out of the plugin's security context into victim browsers, enabling session hijacking, credential theft, or malicious redirects against site visitors. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

WordPress XSS Print Pdf Email By Printfriendly
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Unauthorized data modification in SurfLink - Link Manager & Backup Restore (all versions up to 2.6.0) allows authenticated attackers with Subscriber-level access to inject arbitrary URLs into the plugin's 410 Gone database table, causing those site paths to return HTTP 410 Gone responses to all visitors. The root cause is a missing capability check (current_user_can()) and absent nonce verification (check_ajax_referer()) in the ajax_import_410() AJAX handler - a conspicuous gap given that every other AJAX handler in the same PHP class correctly implements both controls. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the low authentication barrier and clear impact on site availability and SEO ranking make this a meaningful risk for affected WordPress deployments.

Authentication Bypass WordPress Denial Of Service +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated mass data deletion in the AI Copilot - Content Generator WordPress plugin (all versions through 1.4.12) exposes sites to complete wipeout of plugin-managed database records by any remote visitor. The vulnerability stems from a permanently open authorization gate: the base controller's getPermissions() returns an empty array causing the auth check to unconditionally pass, while the removeGroup and clear AJAX actions are excluded from getNoncedMethods(), bypassing nonce verification entirely. No active exploitation has been confirmed in CISA KEV and no public exploit code has been identified at time of analysis, though the attack requires no credentials and minimal technical skill given the straightforward AJAX endpoint targeting.

Authentication Bypass WordPress Ai Copilot Content Generator
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary file upload in the Swiss Toolkit For WP WordPress plugin (versions ≤ 1.4.6) lets authenticated Author-level (and higher) users bypass file-type validation and upload executable PHP, potentially achieving remote code execution on the host. The flaw stems from the upload_extension_files() function using a substring match instead of a real extension check when the optional 'Enhanced Multi-Format Image Support' feature is enabled. Reported by Wordfence with a CVSS of 8.8; no public exploit identified at time of analysis.

WordPress RCE File Upload +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Themify Builder WordPress plugin (all versions through 7.7.6) allows contributor-level authenticated users to inject persistent JavaScript via the 'height_slider' Slider Module field, which executes in the browser of any visitor who loads an injected page. The scope change (S:C in CVSS) captures the cross-context impact: attacker payload runs in victims' sessions, enabling session hijacking, credential theft, or unauthorized admin actions. No active exploitation is confirmed in CISA KEV, but a patch commit (changeset 3601964) is visible in the WordPress plugin SVN repository, suggesting a fix has been committed beyond version 7.7.6.

WordPress XSS Themify Builder
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Notification for Telegram WordPress plugin (all versions through 3.5.1) allows authenticated subscribers to manipulate WordPress cron scheduling logic. Authenticated attackers with subscriber-level access or above can create, modify, or reschedule the nftb_cron_hook cron event due to missing authorization checks in nftncron.php, disrupting the plugin's background task scheduling for Telegram notifications. No public exploit or active exploitation has been identified at time of analysis; CVSS rates this Medium (4.3) with integrity-only impact.

Authentication Bypass WordPress Notification For Telegram
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the StyleMix Motors - Car Dealership & Classified Listings plugin for WordPress (all versions through 1.4.112) lets unauthenticated attackers persist malicious JavaScript through the Comment Content and User Biographical Info fields, which then executes in the browser of any visitor or administrator who views the affected page. The scope-changed CVSS 3.1 score of 7.2 reflects that injected script runs in a security context different from the vulnerable component. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated injection path makes it broadly abusable against sites running this popular automotive/classifieds plugin.

WordPress XSS Motors Car Dealership Classified Listings Plugin
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated remote code execution in the Smackcoders WP Ultimate CSV Importer WordPress plugin (versions up to and including 8.0.1) lets a low-privileged Subscriber run arbitrary PHP on the server. Missing capability checks on the install_addon, saveMappedFields, and StartImport AJAX handlers, plus a plugin nonce leaked to any authenticated admin-page viewer, let an attacker install the WooCommerce add-on, persist PHP expressions in the MappedFields parameter, and force their evaluation through eval() in ImportHelpers::get_meta_values(). No public exploit is identified at time of analysis, and the flaw is not in CISA KEV; with an EPSS signal not provided, the CVSS 8.8 and trivial subscriber prerequisite make it a high patch priority.

Code Injection WordPress PHP +2
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Sensitive Information Exposure in the Mux Video Uploader WordPress plugin (all versions through 1.1.4) allows any authenticated WordPress user at subscriber level or higher to retrieve Mux API credentials via the `muxvideo_enqueue_settings_script` function. Mux API keys exposed this way could enable unauthorized access to the site's Mux account, including video management and potential billing abuse. Reported by Wordfence; no public exploit code or CISA KEV listing identified at time of analysis.

WordPress Information Disclosure Mux Video Uploader
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress (all versions through 4.5.0) allows authenticated attackers with doctor-level or equivalent access to exfiltrate arbitrary database contents via a manipulated 'orderby' parameter. The flaw exists in DoctorSessionController.php and the KCQueryBuilder base class, where ORDER BY clause inputs are neither escaped nor parameterized, enabling appended SQL to traverse the entire WordPress database - including patient records, credentials, and clinical data. No public exploit code or active exploitation has been identified at time of analysis, though Wordfence has disclosed the vulnerability with source code references.

WordPress SQLi Kivicare Clinic Patient Management System Ehr
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in the LA-Studio Element Kit for Elementor WordPress plugin (all versions through 1.6.1) lets authenticated contributors and above coerce the get_type_template function into including arbitrary server-side .php files, enabling access-control bypass, sensitive data disclosure, and full PHP code execution where an attacker can plant a .php file. Reported by Wordfence with a CVSS 3.1 base score of 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. The flaw stems from wp_normalize_path being relied upon for path safety even though it only canonicalizes separators and never rejects traversal sequences.

WordPress LFI Path Traversal +4
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Sensitive information exposure in the Members - Membership & User Role Editor Plugin for WordPress (all versions through 3.2.22) allows unauthenticated network attackers to exploit the REST API filter `members_filter_protected_posts_for_rest` as a boolean oracle, revealing the existence, count, and inferred keyword content of posts explicitly restricted by membership rules. The mechanism abuses per-page pagination parameters to observe response count changes, enabling iterative inference of hidden post content without ever receiving the post body directly. No public exploit code has been identified at time of analysis, and this is not listed in CISA KEV, but the zero-authentication, network-accessible attack surface means any WordPress site using this plugin with sensitive restricted content is exposed by default.

WordPress Oracle Information Disclosure +1
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Lockme OAuth2 Calendars Integration WordPress plugin (all versions through 2.11.0) permits authenticated administrators to persist arbitrary JavaScript in four settings fields - App ID, App Secret, Bookings ID prefix, and API domain - which then executes in the browser of any user who loads the plugin settings page. The root cause is a missing sanitize callback in register_setting() (Plugin.php:197) paired with unescaped output via direct echo into an HTML value attribute without esc_attr() (lines 212, 223, 245, 256), a classic CWE-79 dual-failure pattern. Exploitation risk is highest in WordPress multisite environments where per-site administrators, who should not have cross-site authority, could poison settings to harvest session tokens or perform actions in the context of super-administrators. No public exploit code and no CISA KEV listing have been identified at time of analysis; an upstream patch changeset (revision 3495564) has been committed to the WordPress plugin repository.

WordPress XSS Lockme Calendars Integration
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in Points and Rewards for WooCommerce (all versions through 2.10.0) allows authenticated subscribers to drain any user's reward points into a wallet balance, exfiltrate all user emails and point balances to an attacker-controlled Klaviyo account, and overwrite the site's Klaviyo API key - compounding financial fraud with third-party data exfiltration. Critically, the plugin exposes its authentication nonce (wps-wpr-verify-nonce) on every public-facing page via wp_localize_script(), and the wallet-draining handler is registered on the wp_ajax_nopriv_ hook, meaning the most financially damaging action - converting points to wallet balance - is exploitable by unauthenticated visitors. No public exploit code or CISA KEV listing identified at time of analysis.

Authentication Bypass WordPress Points And Rewards For Woocommerce
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in the Majestic Support WordPress help desk plugin (versions up to and including 1.1.9) allows any authenticated WordPress user to extract sensitive data from the site's database by appending arbitrary SQL to queries via the unsanitized 'val' AJAX parameter. Although the description characterizes attackers as 'unauthenticated,' exploitation in practice requires a Subscriber-level account to obtain a 'get-smart-reply' nonce - a low but real barrier accurately reflected in the CVSS PR:L rating. No public exploit code or CISA KEV listing has been identified at time of analysis, but the trivial nonce-acquisition path (create a ticket, visit the result page) means any user permitted to submit support requests can exploit this on unpatched deployments. Version 1.2.0 appears to resolve the issue based on source code changes in the referenced repository tags.

WordPress SQLi Majestic Support The Leading Edge Help Desk Customer Support Plugin
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in the KiviCare - Clinic & Patient Management System (EHR) WordPress plugin through version 4.5.0 enables authenticated clinic users to extract arbitrary data from the underlying database via a manipulated 'orderby' REST API parameter. The flaw resides in DoctorSessionController.php (lines 648 and 660) where user-supplied sort values are concatenated into queries without escaping or prepared-statement protections, cascading through KCQueryBuilder.php. No public exploit code or CISA KEV listing is identified at time of analysis; EPSS data was not provided, but the authenticated-only prerequisite and niche deployment footprint materially limit real-world impact.

WordPress SQLi Kivicare Clinic Patient Management System Ehr
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the SimpLy Gallery Block & Lightbox WordPress plugin (all versions through 3.3.3.2) allows authenticated attackers with Author-level access to inject persistent JavaScript via the sliderMaxHeight block attribute. The root cause is a defective regex in pgc_sgb_sanitize_custom_css() that strips quoted event handlers but silently permits unquoted HTML event handler syntax (e.g., onfocus=alert(document.cookie)), enabling a sanitization bypass that survives to page render. No public exploit or CISA KEV listing is identified at time of analysis, though the stored nature means injected payloads persist and execute against any subsequent visitor - including administrators.

WordPress XSS Simply Gallery
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the MyParcel (woocommerce-myparcel) WordPress plugin allows any authenticated subscriber-level user to view and modify shipment options - including carrier, delivery type, package type, label count, weight, signature requirement, and insurance - on arbitrary WooCommerce orders they do not own. All plugin versions up to and including 4.25.1 are affected, with the flaw rooted in missing capability checks on administrative AJAX handlers. No public exploit or active exploitation has been identified at time of analysis, though the low privilege bar (any registered WordPress user) expands the realistic attacker pool significantly for e-commerce stores.

Authentication Bypass WordPress Myparcel
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the WP Grid Builder WordPress plugin (versions ≤ 2.3.3) lets an authenticated Subscriber-or-above user promote their own account to Administrator by sending a crafted nested-array payload to the `/wp-json/wpgb/v2/metadata` REST endpoint. The endpoint's `update()` handler lacks both an authorization check and meta-key validation, so an attacker can overwrite their own `wp_capabilities` user meta. No public exploit has been identified at time of analysis, and the flaw is not on CISA KEV; with CVSS 8.8 and low attack complexity, it is a high-priority patch for any site running this plugin.

Privilege Escalation WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Arbitrary file read in the UnderConstructionPage PRO WordPress plugin (≤ 5.76) exposes sensitive server files to any authenticated subscriber-level user. The plugin's template_thumbnail parameter accepts unsanitized local file paths and copies their contents into the publicly accessible uploads directory, making the exfiltrated data retrievable by unauthenticated third parties after the fact. No public exploit code or CISA KEV listing exists at time of analysis; however, the low privilege bar (subscriber accounts) and high confidentiality impact (CVSS C:H) make this a meaningful risk on multi-user WordPress installations.

WordPress Path Traversal
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in the miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) WordPress plugin through version 7.7.0 lets unauthenticated attackers seize any account, including administrators. The Profile Completion flow trusts an attacker-supplied 'email_field' POST value without confirming it matches the OAuth provider's verified identity, and the send_otp_token() routine leaks a SHA-512(customer_key||otp) hash to the client where the OTP is one of only 99,000 values and customer_key is a static (often empty) option - so the OTP can be brute-forced offline in under a second. Rated CVSS 9.8; no public exploit identified at time of analysis, but the full attack primitive is described in the Wordfence advisory.

Authentication Bypass WordPress Google +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the Eventin WordPress plugin (versions 4.0.26-4.1.15) enables unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID or FluentCart cart hash to the payment_complete() REST endpoint. The wp_rest nonce required to reach this endpoint is embedded in the HTML of every public event page, eliminating any credential or session requirement. This is a confirmed regression - the same function and endpoint were previously patched by Arraytics, but the fix was lost in subsequent releases; no public exploit has been identified at time of analysis.

Authentication Bypass WordPress PHP +1
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Ajax Load More WordPress plugin (versions through 7.0.1) allows authenticated administrators to inject persistent malicious scripts into pages served to other users. The vulnerability stems from insufficient input sanitization and output escaping in admin-facing settings fields. Exploitation is constrained to WordPress multisite environments or sites with unfiltered_html disabled, and no public exploit or KEV listing exists at time of analysis, keeping real-world risk moderate despite the network-accessible vector.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Missing authorization in the Squirrly SEO plugin for WordPress (all versions through 14.0.0) lets unauthenticated attackers create arbitrary posts by abusing a leaked API token, and — when the Advanced Custom Fields (ACF) plugin is also active — plant stored cross-site scripting that fires whenever any user views the injected page. Wordfence rates it CVSS 7.2 with scope change because a single unauthenticated request can seed persistent content and script that later executes in visitors' and administrators' browsers. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the unauthenticated, low-complexity nature makes it an attractive target for automated WordPress campaigns.

Authentication Bypass WordPress XSS +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Invoice123 WordPress plugin (versions up to and including 1.7.0) permits authenticated attackers holding only subscriber-level accounts to overwrite the plugin's external API key, modify invoice configuration settings, and directly alter WooCommerce tax rate records in the database. The root cause is absent capability checks in the plugin's admin-page handlers, meaning low-privilege users can invoke privileged administrative actions over the network. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Jeg Elementor Kit for WordPress versions through 3.2.6 enables authenticated Contributors to inject persistent malicious scripts via the Image Box widget's description field. The root cause is a deliberate inconsistency in the render_body() method of Image_Box_View: every other attribute is sanitized with esc_attr(), but sg_body_description is concatenated raw into HTML body context. Any user who visits a page containing the injected widget executes the payload, enabling session hijacking and potential escalation to Administrator. No public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Logo Slider WordPress plugin (all versions through 5.5) allows authenticated contributors to inject persistent JavaScript payloads via the 'lgx_tooltip_position' parameter, executing in the browser of any user who subsequently visits an affected page. The CVSS scope change (S:C) reflects that injected scripts execute in victim browser contexts - enabling session hijacking or privilege escalation against higher-privileged users including site administrators. No public exploit or CISA KEV listing has been identified at time of analysis, though the low attack complexity and the breadth of contributor-level accounts on WordPress sites make this a realistic risk for multi-author installations.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Time-based SQL injection in the JoomSport WordPress plugin (all versions through 5.7.9) enables authenticated contributors to exfiltrate sensitive database contents via unsanitized 'event' shortcode attributes. The flaw exists in at least two code paths - joomsport-shortcodes.php and class-jsport-getplayers.php - where user-supplied shortcode parameters are interpolated into SQL queries without parameterization or adequate escaping. Because WordPress Contributor-level users can embed shortcodes in posts and pages, the effective attacker pool includes any registered user granted that role, broadening realistic exposure beyond typical authenticated-only flaws. No public exploit code or CISA KEV listing identified at time of analysis, but a patch commit (changeset 3594276) is referenced in the plugin repository.

WordPress SQLi
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Second-order SQL injection in Mail Mint WordPress plugin (all versions ≤ 1.24.1) allows authenticated administrators to exfiltrate arbitrary data from the WordPress database via the 'recipients' parameter in the campaign REST API. The attack exploits a two-stage flaw: a malicious SQL payload bypasses int-cast input validation at write time and persists unsanitized, then fires during a subsequent campaign retrieval request that passes the raw value into an unparameterized query. No public exploit or CISA KEV listing has been identified at time of analysis; real-world risk is moderated by the required administrator-level authentication.

WordPress SQLi
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Authorization bypass in the KiviCare WordPress EHR plugin (all versions through 4.4.0) allows unauthenticated network attackers to confirm arbitrary pending clinic appointments and inject forged payment records into the wp_kc_payments_appointment_mappings table using attacker-supplied payment IDs, completely circumventing the payment collection process. The root defect is a two-part failure: the appointments API controller does not verify user authorization before processing status changes, and the KCPaymentGatewayFactory returns all registered gateways regardless of admin-enabled status - meaning the KCPayLater manual-payment gateway is always selectable, even by unauthenticated callers on default installations. No public exploit or CISA KEV listing exists at time of analysis, though the trivially low attack complexity makes scripted abuse realistic.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in the ICS Calendar WordPress plugin (all versions ≤ 12.0.9) allows unauthenticated network attackers to inject arbitrary JavaScript into victim browsers by exploiting a missing nonce check and input sanitization failure on the publicly accessible wp_ajax_nopriv_r34ics_ajax AJAX endpoint. The attacker-controlled js_args object is merged over stored shortcode configuration before allowlist validation, enabling the htmltagtitle key to reach the calendar-month.php template unescaped. No public exploit code or CISA KEV listing exists at time of analysis, though the scope-changing CVSS vector (S:C) and zero authentication barrier make socially engineered delivery via crafted URLs a realistic threat to any site running this plugin.

WordPress XSS Ics Calendar
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Sensitive information exposure in the Import and Export Users and Customers WordPress plugin (all versions ≤ 2.4.0) allows any authenticated subscriber-level user to enumerate and extract the post_title and raw post_content of arbitrary posts regardless of visibility status or post type. Affected content includes drafts, private posts, password-protected entries, future-scheduled posts, trashed items, and non-public custom post types such as WooCommerce orders and internal CRM records. The exploit barrier is exceptionally low: the required security nonce is leaked as inline JavaScript on any wp-admin page reachable by subscribers. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis.

Authentication Bypass WordPress Information Disclosure +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Easy Appointments WordPress plugin (all versions up to and including 3.12.27) permits any authenticated user holding the Author role or above to mass-cancel every future appointment across the entire site by exploiting a missing capability check on the plugin's AJAX cancellation handler. The attack is made trivially accessible because the nonce required to authenticate the cancellation request is rendered directly on the Appointments admin page, which is gated only by the `edit_posts` capability that Authors possess by default. No public exploit has been identified at time of analysis, but the low privilege barrier and deterministic exploit path present a high-consequence business-disruption risk for any organization running booking workflows on affected installations.

Authentication Bypass WordPress Easy Appointments
NVD
EPSS 1% CVSS 6.6
MEDIUM This Month

Local File Inclusion in the Happyforms WordPress plugin (all versions through 1.26.12) allows authenticated administrators to include and execute arbitrary PHP files on the server via the happyforms_get_form_partial() function, enabling full remote code execution when the attacker can also upload PHP files. The vulnerability is rooted in unsanitized filename handling (CWE-98) within the form template rendering logic, as evidenced by the affected files class-wp-customize-form-manager.php and helper-form-templates.php. No public exploit code or CISA KEV listing has been identified at time of analysis, and the Administrator-level access prerequisite substantially limits the realistic attacker population.

WordPress LFI RCE +3
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized modification of cookie scan schedule configuration in the GDPR Cookie Consent WordPress plugin (versions up to 4.3.6) is achievable by any authenticated subscriber-level user. The vulnerability stems from a dual failure - absent capability check and absent nonce verification - on the wp_ajax_gcc_save_schedule_scan AJAX action, allowing low-privileged users to overwrite the gdpr_scan_schedule_data option that is administratively intended to require manage_options capability. No public exploit has been identified and the flaw is not listed in CISA KEV; a patched version (4.3.7) is available via the plugin's SVN repository.

Authentication Bypass WordPress Cookie Banner For Gdpr Ccpa Wplp Cookie Consent
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the GoodMeet WordPress plugin (versions up to and including 1.1.8) enables unauthenticated remote attackers to wipe a site's stored Google Meet API credentials and OAuth tokens by deceiving a logged-in administrator into triggering a crafted request. The vulnerable reset_credential() function handling the wp_ajax_goodmeet_reset_google_meet_credential AJAX action checks the manage_options capability but omits mandatory WordPress nonce validation, allowing any cross-origin request to be processed as legitimate. The practical outcome is complete disabling of the site's Google Meet integration with no data disclosure; no public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog.

WordPress CSRF Google +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the FlowForms - Conversational Form Builder WordPress plugin (all versions through 1.1.1) allows authenticated contributors to modify, publish, or revert any form on the site - including forms owned by administrators - by supplying an arbitrary form ID to the unvalidated REST API update_form endpoint. Wordfence reported this flaw, and a fix changeset exists in the WordPress plugin SVN repository, though an explicit patched release version is not independently confirmed. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass WordPress Flowforms Conversational Form Builder
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated media library attachment deletion affects the Easy Upload Files During Checkout WordPress plugin through version 3.0.1, enabling any remote visitor to permanently destroy arbitrary files from the site's media library with no credentials. The root cause is CWE-639: the ufdc_custom_init() hook processes a user-controlled 'eufdc-delete' parameter without nonce verification, capability checks, or attachment ownership validation, reducing authorization to a trivial parameter-guessing exercise against sequential WordPress attachment IDs. No public exploit code or CISA KEV listing has been identified, but the attack requires zero prerequisites beyond plugin presence, making it trivially reproducible.

Authentication Bypass WordPress Easy Upload Files During Checkout
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized GravityWrite disconnection in the GW AI Website Builder WordPress plugin (versions ≤ 1.0.1) is achievable by any authenticated subscriber-level user due to a missing capability check on the gwaiwebu_gravitywrite_disconnect_handler() AJAX function. The flaw allows low-privilege WordPress accounts to sever the plugin's integration with the GravityWrite AI service, degrading AI-powered site-building functionality for all users. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; impact is confined to service integrity disruption rather than data exfiltration or code execution.

Authentication Bypass WordPress Gw Ai Website Builder
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL Injection in the Cookie Banner for GDPR/CCPA - WPLP Cookie Consent WordPress plugin (versions up to and including 4.3.6) enables authenticated administrators to append arbitrary SQL to existing queries via the unsanitized 'scan_id' parameter in the cookie scanner module. Exploitation is constrained to administrator-level accounts (PR:H per CVSS vector), making this a privileged read-only database extraction flaw rather than a broad remote attack surface. No public exploit code or CISA KEV listing has been identified at time of analysis; a patch commit is referenced in the WordPress plugin repository changeset.

WordPress SQLi Cookie Banner For Gdpr Ccpa Wplp Cookie Consent
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Eventin WordPress event management plugin (all versions through 4.1.15) lets any contributor-level user permanently embed malicious JavaScript in event FAQ sections via the unescaped `etn_faq_content` parameter. The CVSS scope change (S:C) confirms the impact crosses the attacker's security context - injected scripts execute in any visitor's browser who loads the affected event page, enabling session hijacking or credential harvesting of higher-privileged users including site administrators. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the low attack complexity and commonly granted contributor role make this a credible insider-threat risk on multi-user WordPress installations.

WordPress XSS Eventin Event Calendar Event Registration Tickets Booking Ai Powered
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Hostel WordPress plugin (all versions through 1.1.7) permits authenticated Contributor-level users to permanently inject arbitrary JavaScript into WordPress pages via the second attribute of the `wphostel-book` shortcode, which is passed unsanitized to the `$text` variable and rendered raw into an HTML `value` attribute without `esc_attr()` escaping. Any user who subsequently views an injected page will execute the attacker's payload in their browser, enabling session hijacking or privilege escalation against higher-privileged site users. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; the primary risk is to WordPress sites that grant Contributor access to untrusted or semi-trusted users.

WordPress XSS Hostel
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Highlighting Code Block WordPress plugin (versions ≤ 2.2.0) allows authenticated attackers holding administrator-level permissions to inject persistent malicious scripts via the plugin's admin settings panel, with those scripts executing in the browsers of any user who subsequently visits an affected page. Exploitation is constrained to WordPress multi-site network installations or single-site deployments where the unfiltered_html capability has been explicitly disabled - conditions that are non-default and substantially narrow the attacker population. No public exploit code or active exploitation has been identified at time of analysis; Wordfence, the reporting source, has published a fix commit to the plugin's SVN repository, though a specific patched release version is not yet confirmed.

WordPress XSS Highlighting Code Block
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection in the BetterDocs WordPress plugin (versions up to and including 4.6.0) enables authenticated attackers holding at minimum a custom-level WordPress role to append arbitrary SQL to existing queries via the unsanitized `lang` parameter, extracting sensitive data from the underlying database. The attack surface is restricted to sites where one of five specific multilingual plugins (WPML, Polylang, qTranslate, Weglot, or TranslatePress) is active, as the vulnerable code path is guarded by `Helper::is_multilingual_active()`. No public exploit identified at time of analysis; EPSS data unavailable, and the CVE is not listed in CISA KEV.

WordPress SQLi Betterdocs Ai Documentation Knowledge Base Docs Wikis Faq With Chatbot
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file read in the Hide My WP Lite WordPress plugin (versions ≤ 1.3) lets unauthenticated attackers disclose any file readable by the web server - including wp-config.php with database credentials and secret keys - by abusing the he_wrapper_js and he_wrapper_css parameters handled by elementor_assets_filter(). Reported by Wordfence and rated CVSS 7.5, the flaw is confidentiality-only but exposes crypto salts and DB secrets that enable deeper compromise. There is no public exploit identified at time of analysis, and exploitation depends on the site also running Elementor with the plugin's 'Hide Elementor' feature enabled.

WordPress Path Traversal Hide My Wp Lite
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoor that lets an unauthenticated attacker who supplies a hard-coded, per-build key permanently delete all of the site's content, and that covertly transmits the site URL, administrator email address, and license key to a third-party server.

WordPress Information Disclosure Escortwp
NVD WPScan VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Unauthenticated account registration bypass in the LA-Studio Element Kit for Elementor WordPress plugin (all versions before 1.6.1) allows remote, unauthenticated attackers to create WordPress user accounts on sites where site-wide registration has been explicitly disabled by the administrator. The vulnerable component is an unauthenticated AJAX action handler that omits the standard WordPress registration-status check, effectively nullifying an administrative security control. A publicly available proof-of-concept exists via WPScan, and a vendor patch is available in version 1.6.1; no confirmed active exploitation (CISA KEV) has been recorded at time of analysis.

WordPress Information Disclosure La Studio Element Kit For Elementor
NVD WPScan
EPSS 0% CVSS 6.4
MEDIUM This Month

Server-Side Request Forgery in the All-in-One Video Gallery WordPress plugin (all versions through 4.8.5) enables a two-stage attack where a subscriber-level authenticated user plants an internal or loopback URL into a video post's mp4 meta field via the XML-RPC wp.newPost method, then any unauthenticated party can trigger the ?vdl=<post_id> endpoint to force the server to fetch that URL and stream the full response body - enabling reconnaissance of internal services including cloud metadata endpoints. The CVSS scope change (S:C) captures the critical decoupling: subscriber-level credentials are needed only for setup, while the actual SSRF trigger requires no authentication at all. No public exploit identified at time of analysis, though the Wordfence advisory documents the complete attack chain with specific code line references.

WordPress SSRF All In One Video Gallery
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Path traversal via the unsanitized 'X-FILENAME' HTTP header in the ARMember WordPress membership plugin allows unauthenticated remote attackers to upload and overwrite files outside the intended 'wp-content/uploads/armember' directory on affected WordPress installations running versions 4.0.27 and earlier. The integrity impact is limited by the plugin's handling of 'certain files (e.g., CSS)' rather than arbitrary file types, capping the CVSS score at 5.3 Medium; however, successful exploitation can enable website defacement or manipulation of frontend assets without any authentication. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

WordPress Path Traversal
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the BuddyHolis TableSearch plugin for WordPress (all versions ≤1.1.0) permits authenticated attackers holding Contributor-level or higher role access to inject persistent JavaScript via the 'placeholder' parameter, which then executes in the browsers of every subsequent visitor to the affected page. The Scope:Changed CVSS metric reflects that payload impact crosses from the WordPress plugin into victims' browser environments, enabling session hijacking, credential theft, or administrative account takeover if an administrator views the injected page. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the low authentication bar makes this relevant for any WordPress site permitting open contributor registration.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Unauthenticated SQL injection in the GEO my WP WordPress plugin (versions ≤ 4.5.4) lets remote attackers inject SQL through the numeric 'distance', 'lat', and 'lng' parameters of the proximity-search feature. Because the values are parsed from the raw query string and only passed through esc_sql() at unquoted numeric positions, payloads such as `1 OR SLEEP(3)` execute directly against the database. No public exploit is identified at time of analysis, and the flaw is not listed in CISA KEV, but the network, no-auth attack profile makes it a high patching priority.

WordPress SQLi PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Animation Addons for Elementor WordPress plugin (all versions through 2.6.3) enables authenticated attackers with Contributor-level access to permanently inject arbitrary JavaScript into pages using the Weather widget. The payload renders unescaped for every subsequent visitor, enabling session hijacking, credential theft, or admin-context privilege escalation without further attacker interaction. No CISA KEV listing and no public exploit code have been identified at time of analysis, but the low attack complexity combined with scope change to victims' browsers makes this a credible risk for multi-author WordPress deployments running this plugin with the Weather widget actively configured.

WordPress XSS PHP
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

DOM-based cross-site scripting in the TelSender WordPress plugin (all versions through 1.14.14) lets unauthenticated attackers plant a malicious payload inside a Telegram chat title that the plugin renders unsanitized. When an administrator opens the TelSender settings page and clicks the 'Tested' button, the plugin processes the attacker-controlled Telegram API response and executes the injected script in the admin's authenticated browser session. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; the scope-changed CVSS 7.2 reflects execution in the privileged admin context.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the Brevo (formerly Sendinblue) Newsletter, SMTP, Email marketing and Subscribe forms WordPress plugin allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in victims' browsers through a crafted URL containing a malicious payload in the `page` parameter. All plugin versions up to and including 3.1.77 are affected, with the root flaw traced to insufficient input sanitization and output escaping in `inc/table-forms.php` at line 102. No active exploitation has been confirmed in CISA KEV, and no POC code is identified in the provided data, though the CVSS scope-change rating (S:C) elevates the effective impact beyond the plugin's own context.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the affiliate-toolkit WP Affiliate Plugin with Amazon (versions through 3.7.0) allows authenticated contributors to inject persistent malicious scripts via the 'atkp_product' shortcode due to unsanitized user-supplied attributes. This represents a bypass of the previously patched CVE-2024-10227, indicating the prior fix was incomplete. Any WordPress user - including administrators - who loads a page containing the injected shortcode will execute the attacker's script in their browser, enabling session theft, credential harvesting, or unauthorized admin actions. No public exploit or CISA KEV listing is identified at time of analysis.

WordPress XSS
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Privilege escalation in the WP Business Intelligence Lite WordPress plugin (all versions through 3.2.0) allows authenticated Subscriber-level users to tamper with stored SQL queries because the plugin fails to enforce a capability/authorization check on the query-modification action (CWE-862). When an administrator later views the maliciously altered query, the attacker's arbitrary SQL executes in the admin context, enabling account takeover or full site compromise. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; it was reported through the Wordfence threat intelligence program.

Authentication Bypass WordPress Privilege Escalation
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Sudoku Shortcode WordPress plugin (all versions through 1.0.0) allows authenticated Contributors to inject persistent malicious scripts via the unsanitized 'background' parameter of the 'sudoku-sc' shortcode. Once injected into a page or post, the payload executes in the browser of every subsequent visitor, including administrators, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, though Wordfence has catalogued the vulnerability in their threat intelligence database.

WordPress XSS
NVD
EPSS 0% CVSS 7.5
HIGH This Week

{id} REST endpoints, which ship with no authentication or authorization checks. Any anonymous visitor can harvest customer PII - names, emails, phone numbers, WhatsApp message contents, full geolocation (IP, city, country, ISP, coordinates), device fingerprints, and even WordPress account details (user IDs, usernames, emails) for logged-in users who submitted the form. There is no public exploit identified at time of analysis and it is not on CISA KEV, but exploitation is trivial and requires only an HTTP client.

Authentication Bypass WordPress Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Blind SQL injection in the Ultimate Member WordPress plugin (all versions through 2.10.1) lets unauthenticated attackers inject arbitrary SQL through the member-directory search parameter, enabling extraction of sensitive database contents such as password hashes and user records. The flaw is a residual gap from the earlier CVE-2025-0308 fix, which was only partially remediated in 2.9.2. No public exploit has been identified at time of analysis, but the plugin's large install base and unauthenticated network reachability make it an attractive target.

WordPress SQLi
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Time-based SQL Injection in the Booking Calendar, Appointment Booking System WordPress plugin (versions ≤ 3.2.17) permits unauthenticated remote attackers to extract sensitive database contents via the 'wpdevart_id' parameter. The flaw exists in main_class.php due to insufficient parameter escaping and unprepared SQL queries, but is only triggerable when the Pro version is installed with the 'Delete previous dates' option enabled - a non-default configuration that meaningfully limits the exposed population. No public exploit code and no CISA KEV listing have been identified at time of analysis; the CVSS 5.9 Medium rating reflects both the high confidentiality impact and the high attack complexity imposed by the conditional prerequisites.

WordPress SQLi
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Payment amount tampering in the SureForms WordPress plugin (versions ≤ 2.2.1) lets unauthenticated attackers submit arbitrary prices when completing Stripe checkout. Because the 'create_payment_intent' and 'create_subscription_intent' handlers trust the amount supplied in user-controlled POST data instead of the form's server-side configured price, an attacker can purchase products or subscriptions for a fraction of their real cost. Reported by Wordfence and fixed in 2.2.2; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Information Disclosure
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Time-based blind SQL injection in the rtMedia for WordPress, BuddyPress and bbPress plugin (versions up to and including 4.6.18) allows authenticated attackers with subscriber-level access or higher to exfiltrate sensitive data from the WordPress database via the `order_by` parameter. The low authentication bar - any registered user qualifies - combined with a network-accessible attack vector and high confidentiality impact makes this a meaningful risk for community or membership sites with open user registration enabled. No public exploit code or CISA KEV listing has been identified at time of analysis, but the technique (time-based blind SQLi) is well-understood and requires no specialized tooling.

WordPress SQLi
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized post publication in Kadence Blocks (Gutenberg Blocks with AI by Kadence WP) versions up to and including 3.5.32 allows authenticated WordPress contributors to immediately publish posts, pages, and custom post types - entirely bypassing the platform's standard contributor review workflow. The flaw stems from a misconfigured capability check in the `get_items_permission_check` permission callback on the `process_pattern` REST API endpoint (CWE-863: Incorrect Authorization). No active exploitation is confirmed via CISA KEV, no public POC has been identified, and the CVSS score of 4.3 reflects a limited integrity-only impact with no confidentiality or availability consequences.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in The Plus Addons for Elementor WordPress plugin (versions through 6.4.11) allows authenticated contributors to inject persistent malicious scripts into pages via the Button widget's `custom_attributes` parameter. The root cause is a bypassable sanitization filter (`tp_senitize_js_input()`) in `modules/widgets/tp_button.php` that fails to properly neutralize HTML/JS content before rendering. When an administrator or other privileged user subsequently views an affected page, the stored payload executes in their browser context, enabling session hijacking or unauthorized administrative actions. No public exploit identified at time of analysis; patch is available in version 6.4.12.

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in King Addons for Elementor (WordPress plugin, versions ≤51.1.62) allows authenticated attackers with subscriber-level access to inject persistent JavaScript into the WordPress admin submissions panel. The flaw stems from a two-stage sanitization failure: `sanitize_text_field()` applied during form submission storage preserves double-quote characters in `form_page_id`, and the downstream `king_addons_submissions_custom_column_content()` function then concatenates that stored value into an HTML `href` attribute via `admin_url()` without wrapping the result in `esc_url()`. No public exploit or CISA KEV listing exists at time of analysis; EPSS data was not provided in the input.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the WPvivid Backup for MainWP WordPress plugin (all versions up to and including 0.9.33) allows authenticated administrators to inject persistent malicious scripts via plugin settings fields, which then execute in any user's browser upon visiting an affected page. Exploitation is constrained to WordPress multi-site environments or single-site installs where the unfiltered_html capability has been explicitly disabled, and requires an attacker to already hold administrator-level credentials. No public exploit code has been identified at time of analysis, and the CVSS 4.4 Medium score reflects both the high privilege bar and the specialized deployment conditions required.

WordPress XSS
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated arbitrary file upload in the Instant Appointment WordPress plugin (all versions ≤ 1.2) lets remote attackers upload files of any type through the 'insapp_upload_image_as_attachment' function, which lacks file-type validation, potentially enabling remote code execution by planting a PHP webshell. Any WordPress site running the plugin is exploitable without authentication or user interaction, matching its 9.8 CVSS rating. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

WordPress RCE File Upload
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Authorization bypass in the WPCafe WordPress plugin (all versions through 3.0.14) allows any authenticated subscriber-level user to fully manage email notification flow workflows that are intended to be administrator-only. The FlowAPI REST endpoints bundled within the plugin's email notification SDK rely solely on a wp_rest nonce for access control - a token freely obtainable from the frontend page source by any logged-in user - completely bypassing role-based authorization. No public exploit or active exploitation has been identified at time of analysis, though the low exploitation complexity makes this a realistic risk on sites with open user registration.

Authentication Bypass WordPress Wpcafe Restaurant Menu Online Food Ordering Table Booking System
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting in the WP Hotel Booking WordPress plugin (all versions up to and including 2.3.1) permits unauthenticated remote attackers to inject arbitrary JavaScript via the check_in_date and check_out_date URL parameters across multiple search result and Elementor widget templates. Successful exploitation requires tricking a victim into clicking a crafted link, after which the injected script executes in the victim's browser context - making logged-in administrators particularly high-value targets. No public exploit has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.

WordPress XSS Wp Hotel Booking
NVD
EPSS 1% CVSS 7.2
HIGH This Week

Remote code execution in the Post Export Import with Media WordPress plugin (all versions ≤ 1.13.1) is possible because a trailing-dot filename bypass (e.g. 'shell.php.') defeats the extension allow-list in ajax_import_media_start(), letting an administrator-level user smuggle an executable PHP file into the uploads directory during a media import. Reported by Wordfence, the flaw carries CVSS 7.2 and has no public exploit identified at time of analysis; exploitation requires existing administrator (PR:H) access, making it primarily a hardening/defense-in-depth bypass rather than a mass-exploitable entry point.

WordPress PHP RCE +2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in the Salon Booking System - Free Version WordPress plugin (all versions ≤ 10.30.32) lets a remote attacker write attacker-controlled PHP into the plugin's web-accessible translate-constants.php file by abusing the unprotected setCustomText AJAX handler. Because the handler lacks proper nonce validation (CWE-352 CSRF), an unauthenticated attacker who tricks a logged-in administrator into clicking a crafted link can achieve full server-side code execution. Reported by Wordfence with a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not on CISA KEV.

WordPress CSRF RCE +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote code execution in the Super Forms - Drag & Drop Form Builder WordPress plugin (all versions through 6.3.313) allows attackers to upload executable files via the nopriv submit_form AJAX handler, which lacks both file-type validation (CWE-434) and any capability check. The plugin's only guardrail is a session nonce, but the companion super_create_nonce nopriv action lets any visitor mint a valid sf_nonce and session cookie on demand, collapsing the attack to two unauthenticated HTTP requests. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivial exploitability make this a high-priority patch item.

WordPress RCE File Upload +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Incorrect authorization in the Fluent Forms WordPress plugin (versions up to and including 6.2.1) enables any authenticated subscriber-level user to cancel payment subscriptions belonging to other users by supplying an arbitrary 'subscription_id' in the payment cancellation AJAX endpoint. The payment cancellation flow performs no ownership check - only that the user is authenticated - making this a classic IDOR (Insecure Direct Object Reference) under CWE-863. No public exploit code has been identified at time of analysis, and the flaw is not listed in CISA KEV, but the low bar for exploitation (any registered site account) raises practical risk for sites using Fluent Forms payment/subscription features.

Authentication Bypass WordPress Fluent Forms Customizable Contact Forms Survey Quiz Conversational Form Builder
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Authentication bypass in the LoginPress Pro WordPress plugin (versions ≤ 6.2.3) lets unauthenticated attackers log in as any existing user - including Administrators - when the Spotify Social Login addon is enabled. The flaw stems from the plugin trusting the unverified email returned by Spotify's /v1/me endpoint to match and authenticate a WordPress account, so an attacker who registers a Spotify account with a victim's email gains that victim's session. No public exploit has been identified at time of analysis; CVSS is 8.1 with attack complexity rated High due to the required addon configuration.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Authentication bypass in the LoginPress Pro WordPress plugin (versions up to and including 6.2.3) lets unauthenticated attackers hijack any existing account, including administrators, by abusing the GitHub OAuth social-login callback. The loginpress_on_github_login() function binds the login session to profile[0]['email'] from GitHub's /user/emails endpoint without checking the verified flag, so an attacker who adds an unverified email matching a victim's account and triggers the callback can be logged in as that user. This maps to CWE-287 and carries a CVSS 8.1; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Authentication bypass in the LoginPress Pro WordPress plugin (versions ≤ 6.2.3) lets unauthenticated attackers hijack any existing account - administrators included - by exploiting the Discord OAuth login handler, which trusts the email returned by Discord without checking Discord's verified flag. An attacker who knows a target's WordPress email registers a Discord account with that same (unverified) email and completes the normal OAuth flow to receive an authenticated session as the victim. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw was reported by Wordfence and is a full account-takeover primitive.

Authentication Bypass WordPress
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Arbitrary file deletion in the UsersWP WordPress plugin (versions ≤ 1.2.65) lets authenticated Subscriber-level users delete any file on the server, including wp-config.php, which can escalate into full site takeover. The flaw stems from unsanitized directory-traversal sequences in file-field metadata reaching an unlink() call in the upload_file_remove() AJAX handler. Reported by Wordfence with no public exploit identified at time of analysis and no active-exploitation (KEV) listing; an upstream code fix is available.

WordPress Path Traversal
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the WP Cost Estimation & Payment Forms Builder (E&P Forms) WordPress plugin (Loopus) affects all versions through 10.5.97 and lets unauthenticated attackers persist arbitrary JavaScript via the 'customerInfos' parameter that fires when any user later views the injected page. Reported by Wordfence with a CVSS 3.1 base score of 7.2 (scope-changed), this is a persistent, no-authentication injection primitive rather than a reflected one. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is not confirmed in the wild.

WordPress XSS Wp Cost Estimation Payment Forms Builder
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthorized data disclosure in the Blocks for ACF Fields WordPress plugin (versions up to and including 1.6.2) allows any authenticated user holding the Author role or above to read ACF field values from arbitrary WordPress objects - including private posts, drafts, and posts owned by other users - via an insecure REST API endpoint. The flaw stems from the REST handler accepting a user-supplied post ID and passing it directly to get_field_objects() without verifying whether the requester holds read permission on that specific object, a classic object-level authorization failure (CWE-862). Reported by Wordfence; no CISA KEV listing and no standalone public exploit code identified at time of analysis, though exploitation is operationally trivial for any attacker with a valid Author-level WordPress account.

Authentication Bypass WordPress Blocks For Acf Fields Display Custom Fields In The Block Editor
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated remote manipulation of published business quotes is possible in the Easy Invoice WordPress plugin (versions up to and including 2.1.19) due to missing authorization on AJAX endpoints. The plugin registers quote acceptance and decline actions via wp_ajax_nopriv_ hooks - making them reachable without credentials - while the only gate is a per-quote nonce that is embedded directly in the publicly viewable single-quote template. The ownership restriction that would prevent non-owners from acting on quotes is controlled by an off-by-default Pro feature flag, meaning the overwhelming majority of free-tier deployments are fully exposed to arbitrary quote status manipulation, including automatic invoice generation and client email dispatch. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication Bypass WordPress Easy Invoice Invoice Generator Pdf Quotes Payments
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Crew HRM WordPress plugin (all versions ≤ 1.2.2) allows any authenticated subscriber-level user to delete, archive, unarchive, and duplicate arbitrary job listings - including associated stages, metadata, addresses, and applications - by supplying an arbitrary integer job_id. The nonce that nominally gates these actions via Dispatcher::dispatch() is deliberately exposed to every authenticated frontend visitor through wp_head script localization, making the bypass trivially reproducible by any user with a WordPress account. No public exploit code or active exploitation has been identified at time of analysis, and no KEV listing exists; however, the nonce leak collapses the practical access barrier to subscriber level.

Authentication Bypass WordPress Employee Leave And Recruitment Management System Crew Hrm
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized shipping label manipulation in DHL eCommerce (Benelux) for WooCommerce versions up to 2.2.3 allows any authenticated WordPress user - down to Subscriber level - to create or delete DHL shipping labels for any WooCommerce order site-wide. The two vulnerable AJAX handlers lack both capability verification and nonce (CSRF token) checks, meaning the attacker-supplied order ID is acted upon without confirming the caller has order management rights. No public exploit is identified and this is not listed in CISA KEV, but the low authentication bar (any registered user) and operational impact on fulfillment make this a meaningful risk for Benelux e-commerce stores with open user registration.

Authentication Bypass WordPress Dhl Ecommerce Benelux For Woocommerce
NVD
EPSS 1% CVSS 7.1
HIGH This Week

Arbitrary file deletion in the Bit Form WordPress plugin (all versions through 3.1.1) lets low-privileged authenticated users delete any file on the server via an unsanitized path passed to the deleteFiles function. Because a subscriber-level attacker can remove critical files such as wp-config.php, this path traversal escalates into a full site takeover / remote code execution scenario. Reported by Wordfence with a CVSS of 7.1; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Path Traversal RCE +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery in the Divi Torque Lite WordPress plugin (versions ≤ 4.2.3) lets remote attackers install and activate arbitrary plugins by tricking a logged-in administrator into loading a malicious page. The plugin registers its /install_plugin and /activate_plugin REST routes with '__return_true' as the permission_callback, which suppresses WordPress's REST nonce check so a forged request rides the admin's session cookies past the internal capability check. No public exploit is identified at time of analysis, but installing an attacker-supplied plugin yields effective remote code execution on the site.

WordPress CSRF Divi Torque Lite Divi Modules For The Divi Builder Theme
NVD
Prev Page 2 of 193 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy