Skip to main content

WordPress

17382 CVEs vendor

Monthly

CVE-2026-2499 MEDIUM This Month

Stored XSS in the WordPress Custom Logo plugin through version 2.2 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users. This affects multi-site WordPress installations and single-site setups where unfiltered_html is disabled, requiring high-privilege attacker access but enabling persistent script injection across affected pages.

WordPress Golang XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2498 MEDIUM This Month

Stored XSS in WP Social Meta plugin through 1.0.1 allows authenticated administrators to inject malicious scripts into WordPress admin settings that execute for all users viewing affected pages, impacting multi-site installations and configurations with disabled unfiltered_html. The vulnerability requires high administrative privileges and complex exploitation conditions, making practical attacks unlikely despite network accessibility.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2489 MEDIUM This Month

The TP2WP Importer plugin for WordPress contains a stored cross-site scripting vulnerability in the attachment importer settings that allows authenticated administrators to inject malicious scripts through the 'Watched domains' textarea due to inadequate input sanitization and output escaping. When other users access the affected settings page, the injected scripts execute in their browsers, potentially allowing administrators to perform unauthorized actions or steal sensitive data. The vulnerability affects all versions up to and including 1.1 with no patch currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2029 MEDIUM This Month

Livemesh Addons for Beaver Builder (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-27938 HIGH This Week

Arbitrary command execution in WPGraphQL's GitHub Actions workflow allows attackers with pull request creation privileges to inject shell commands through unvalidated pull request body content, potentially compromising the build environment and repository integrity. The vulnerability affects WPGraphQL versions prior to 2.9.1 and requires low privileges and user interaction to exploit. No patch is currently available for affected deployments.

WordPress Github Command Injection
NVD GitHub
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-1557 HIGH POC This Week

Unauthenticated attackers can exploit a path traversal vulnerability in WP Responsive Images plugin for WordPress (all versions up to 1.0) through the 'src' parameter to read arbitrary files from the server. This allows unauthorized access to sensitive information stored on affected WordPress installations. No patch is currently available.

WordPress Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2694 MEDIUM This Month

The Events Calendar plugin for WordPress through version 6.15.16 fails to properly validate user capabilities in REST API endpoints, allowing authenticated contributors and higher-privileged users to modify or delete events, organizers, and venues without proper authorization. This capability check bypass affects all installations with the vulnerable plugin version and enables authenticated attackers with lower-level access to cause data integrity issues and service disruption. No patch is currently available for this medium-severity vulnerability.

WordPress
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-2410 MEDIUM This Month

The Disable Admin Notices - Hide Dashboard Notifications WordPress plugin up to version 1.4.2 lacks proper CSRF protection in its `showPageContent()` function, allowing unauthenticated attackers to inject arbitrary URLs into the blocked redirects list by tricking site administrators into clicking a malicious link. This could enable an attacker to redirect site traffic or manipulate administrator settings without explicit authorization. No patch is currently available for this medium-severity vulnerability.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2367 MEDIUM This Month

Secure Copy Content Protection and Content Locking (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2301 MEDIUM This Month

Protected post metadata injection in Post Duplicator plugin for WordPress allows authenticated contributors and higher-privileged users to arbitrarily set sensitive meta keys like _wp_page_template on duplicated posts by bypassing WordPress's standard metadata protection mechanisms. The vulnerability exists in versions up to 3.0.8 due to direct database insertion instead of using WordPress's protected metadata validation function. Attackers can exploit this through the customMetaData parameter in the REST API endpoint to manipulate post properties and potentially compromise site functionality.

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14742 MEDIUM This Month

WP Recipe Maker (WordPress plugin) is affected by authorization bypass through user-controlled key (CVSS 4.3).

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2479 MEDIUM This Month

Authenticated WordPress users with Author-level or higher privileges can exploit a Server-Side Request Forgery vulnerability in the Responsive Lightbox & Gallery plugin (versions up to 2.7.1) due to improper hostname validation in the image upload function. This allows attackers to send arbitrary web requests from the vulnerable server to internal services, potentially exposing or modifying sensitive information within the network. The vulnerability affects all versions up to 2.7.1 with no patch currently available.

WordPress SSRF
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-2416 HIGH POC This Week

Unauthenticated attackers can execute SQL injection attacks against WordPress sites running Geo Mashup plugin versions up to 1.13.17 by manipulating the 'sort' parameter, allowing unauthorized database access and extraction of sensitive information. The vulnerability stems from inadequate input validation and query preparation in the plugin code. No patch is currently available, leaving affected installations at risk until an update is released.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-1929 HIGH This Week

Remote code execution in Advanced Woo Labels plugin for WordPress through version 2.37 allows authenticated users with Contributor access or higher to execute arbitrary PHP functions and system commands via an unsanitized callback parameter in an AJAX handler. The vulnerability stems from improper use of call_user_func_array() without adequate input validation or capability restrictions. No patch is currently available for this high-severity flaw affecting WordPress environments.

WordPress PHP RCE
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-1916 HIGH This Week

Unauthenticated attackers can forge authentication tokens in the WPGSI: Spreadsheet Integration plugin for WordPress (versions up to 3.8.3) due to missing capability checks and weak token validation that relies only on Base64-encoded, unsigned user data. This allows remote attackers to create, modify, and delete arbitrary WordPress posts and pages without authentication. No patch is currently available.

WordPress
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-1614 MEDIUM This Month

Stored XSS in Rise Blocks WordPress plugin versions up to 3.7 allows authenticated contributors and above to inject malicious scripts into pages through the logoTag Site Identity block attribute due to inadequate input sanitization. The injected scripts execute in the browsers of all users who access the compromised pages, potentially leading to credential theft, session hijacking, or malware distribution. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-15386 HIGH This Week

The Responsive Lightbox & Gallery WordPress plugin before 2.6.1 is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments are enabled and then approved. [CVSS 8.8 HIGH]

WordPress PHP
NVD WPScan
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-23694 This Week

Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions.

WordPress PHP CSRF
NVD
EPSS
0.0%
CVE-2026-23693 CRITICAL Act Now

Critical vulnerability in ElementsKit Elementor Addons WordPress plugin allows unauthenticated access to critical functions. CVSS 10.0 affecting a widely-used WordPress plugin with 1M+ installations.

WordPress
NVD
CVSS 3.1
10.0
EPSS
0.2%
CVE-2026-2385 MEDIUM This Month

Unauthenticated attackers can manipulate email routing and redirection in The Plus Addons for Elementor plugin for WordPress versions up to 6.4.7 by tampering with the 'email_data' parameter in an AJAX handler that lacks proper cryptographic verification. This allows attackers to trigger unauthorized email relay and redirect users to attacker-controlled sites without authentication. No patch is currently available for this medium-severity vulnerability.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1369 MEDIUM This Month

Conditional CAPTCHA WordPre versions up to 4.0.0 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).

WordPress Open Redirect
NVD WPScan
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1787 MEDIUM This Month

Unauthenticated attackers can delete migrated courses in WordPress sites running LearnPress Export Import versions up to 4.1.0 due to missing capability checks in the data deletion function, provided Tutor LMS is also installed. This allows unauthorized data loss with low complexity exploitation requiring network access. No patch is currently available for this medium-severity vulnerability.

WordPress
NVD
CVSS 3.1
4.8
EPSS
0.1%
CVE-2025-14339 MEDIUM This Month

The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. [CVSS 6.5 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-24946 MEDIUM This Month

Missing authorization controls in the tychesoftwares Print Invoice & Delivery Notes plugin for WooCommerce (versions up to 5.8.0) allow unauthenticated attackers to manipulate access control settings and modify invoice or delivery note data. The vulnerability affects WordPress sites running this plugin and could result in unauthorized data modification. A patch is not currently available.

WordPress
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-24941 HIGH This Week

WP Job Portal versions 2.4.4 and earlier contain an authorization bypass flaw that allows unauthenticated attackers to access sensitive information by exploiting improperly configured access controls. An attacker can remotely exploit this vulnerability without user interaction to gain unauthorized visibility into restricted data. No patch is currently available for this vulnerability.

WordPress
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22383 HIGH This Week

Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by authorization bypass through user-controlled key (CVSS 5.4).

WordPress Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22381 HIGH This Week

Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by php remote file inclusion (CVSS 8.1).

WordPress PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22354 HIGH This Week

Dotstore Woocommerce Category Banner Management banner-management-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).

WordPress Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22352 HIGH This Week

PersianScript Persian Woocommerce SMS persian-woocommerce-sms is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69386 HIGH This Week

realvirtualmx RVCFDI para Woocommerce rvcfdi-para-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69385 MEDIUM This Month

AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify is affected by missing authorization (CVSS 6.5).

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-69381 HIGH This Week

vanquish WooCommerce Bulk Product Editor woocommerce-quick-product-editor is affected by missing authorization (CVSS 7.1).

WordPress PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69380 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 7.5 HIGH]

WordPress Path Traversal PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69379 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 8.6 HIGH]

WordPress Path Traversal PHP
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-69378 HIGH This Week

XforWooCommerce Product Filter for WooCommerce prdctfltr contains a security vulnerability (CVSS 7.3).

WordPress Privilege Escalation
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-69377 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 7.7 HIGH]

WordPress Path Traversal PHP
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-69376 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 8.6 HIGH]

WordPress Path Traversal PHP
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-69375 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Portfolio Builder swp-portfolio allows PHP Local File Inclusion.This issue affects Portfolio Builder: from n/a through <= 1.2.5. [CVSS 8.1 HIGH]

WordPress PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69368 HIGH This Week

GT3themes SOHO - Photography WordPress Theme soho is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69367 HIGH This Week

GT3themes Oyster - Photography WordPress Theme oyster is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69328 HIGH This Week

magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).

WordPress Deserialization PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-69326 HIGH This Week

Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69325 MEDIUM This Month

primersoftware Primer MyData for Woocommerce primer-mydata contains a security vulnerability (CVSS 5.3).

WordPress Path Traversal PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-69324 HIGH This Week

Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69323 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Reflected XSS.This issue affects Slimstat Analytics: from n/a through <= 5.3.2. [CVSS 7.1 HIGH]

WordPress Industrial XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68843 HIGH This Week

Bas Schuiling FeedWordPress Advanced Filters faf is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68837 MEDIUM This Month

Missing Authorization vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ELEX WordPress HelpDesk & Customer Ticketing System: from n/a through <= 3.3.5. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68834 HIGH This Week

Missing Authorization vulnerability in Saiful Islam Sync Master Sheet &#8211; Product Sync with Google Sheet for WooCommerce product-sync-master-sheet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sync Master Sheet &#8211; Product Sync with Google Sheet for WooCommerce: from n/a through <= 1.1.3.

WordPress Authentication Bypass Google
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68552 HIGH This Week

WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product is affected by php remote file inclusion (CVSS 6.3).

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68549 CRITICAL Act Now

Unrestricted file upload in Wiguard (wiguard) WordPress theme allows uploading web shells for remote code execution.

WordPress PHP RCE
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2025-68501 HIGH This Week

Mollie Mollie Payments for WooCommerce mollie-payments-for-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68028 MEDIUM This Month

Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass Google
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68025 MEDIUM This Month

Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart is affected by missing authorization (CVSS 6.5).

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68024 MEDIUM This Month

Missing Authorization vulnerability in Addonify Addonify - WooCommerce Wishlist addonify-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify - WooCommerce Wishlist: from n/a through <= 2.0.15. [CVSS 6.5 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68023 MEDIUM This Month

Missing Authorization vulnerability in Addonify Addonify &#8211; Compare Products For WooCommerce addonify-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify &#8211; Compare Products For WooCommerce: from n/a through <= 1.1.17. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68022 HIGH This Week

soporteblue Plugin BlueX for WooCommerce bluex-for-woocommerce is affected by missing authorization (CVSS 6.3).

WordPress Authentication Bypass
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-67991 HIGH This Week

vanquish User Extra Fields wp-user-extra-fields is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67969 MEDIUM This Month

knitpay UPI QR Code Payment Gateway for WooCommerce upi-qr-code-payment-for-woocommerce is affected by missing authorization (CVSS 6.5).

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-53237 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Wizard Cloak wp-wizard-cloak allows Reflected XSS.This issue affects WP Wizard Cloak: from n/a through <= 1.0.1. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-2486 MEDIUM This Month

Stored XSS in Master Addons For Elementor plugin (WordPress versions up to 2.1.1) allows authenticated contributors and above to inject malicious scripts into pages through the 'ma_el_bh_table_btn_text' parameter due to insufficient input sanitization. When other users access affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-26370 MEDIUM This Month

The Survey Maker WordPress plugin through version 5.1.7.7 is vulnerable to reflected cross-site scripting (XSS) that requires user interaction to exploit. An attacker can craft a malicious link to inject arbitrary JavaScript into a victim's browser session, potentially allowing credential theft or malicious actions within WordPress. No patch is currently available, leaving affected installations at risk.

WordPress XSS
NVD
CVSS 3.0
6.1
EPSS
0.0%
CVE-2026-2384 MEDIUM This Month

The Quiz Maker plugin for WordPress versions up to 6.7.1.7 allows authenticated contributors and higher-privileged users to inject persistent JavaScript through the `vc_quizmaker` shortcode due to inadequate input validation, enabling malicious script execution in pages viewed by other users. The vulnerability requires WPBakery Page Builder to be active and has no available patch. An attacker with contributor access can deface content or steal sensitive information from site visitors.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-27327 MEDIUM This Month

Authenticated users can modify email configurations in YayMail for WooCommerce through version 4.3.2 due to missing authorization checks on access control settings. An attacker with low-level WordPress user privileges could alter email templates or settings without proper permissions. No patch is currently available for this vulnerability.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2232 HIGH This Week

Product Table and List Builder for WooCommerce Lite (WordPress plugin) is affected by sql injection (CVSS 7.5).

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-1581 HIGH POC This Week

Unauthenticated attackers can exploit time-based SQL injection in wpForo Forum plugin for WordPress versions up to 2.4.14 through the 'wpfob' parameter to extract sensitive database information. The vulnerability stems from insufficient input sanitization and improper SQL query preparation, allowing attackers to inject arbitrary SQL commands without authentication. No patch is currently available.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2718 MEDIUM This Month

The Dealia - Request a Quote WordPress plugin through version 1.0.6 allows authenticated contributors and above to inject malicious scripts into pages via improperly escaped Gutenberg block attributes. An attacker with contributor-level access can embed arbitrary JavaScript that executes when users view the affected pages, potentially compromising user sessions and data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2716 MEDIUM This Month

Stored XSS in the Client Testimonial Slider WordPress plugin through version 2.0 allows administrators to inject malicious scripts into the 'Testimonial Heading' setting due to inadequate input sanitization. The injected scripts execute when users view affected pages, impacting multi-site WordPress installations or sites with unfiltered_html disabled. Currently no patch is available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1461 MEDIUM This Month

Simple Membership (WordPress plugin) versions up to 4.7.0 contains a security vulnerability (CVSS 6.5).

WordPress React
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-1219 MEDIUM This Month

Radio by Sonaar versions up to 4.0 is affected by authorization bypass through user-controlled key (CVSS 5.3).

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-27066 MEDIUM This Month

PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce is affected by missing authorization (CVSS 5.3).

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-27052 HIGH This Week

villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer is affected by php remote file inclusion (CVSS 7.5).

WordPress PHP LFI Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25410 MEDIUM This Month

The WP-CORS WordPress plugin through version 0.2.2 contains an authorization bypass that allows authenticated users to modify content due to improperly configured access controls. An attacker with valid WordPress credentials could exploit this to make unauthorized changes to website data. No patch is currently available for this vulnerability.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25409 MEDIUM This Month

crgeary JAMstack Deployments wp-jamstack-deployments is affected by missing authorization (CVSS 4.3).

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25404 MEDIUM This Month

Improper access control in WP Job Manager through version 2.4.0 permits unauthenticated attackers to access sensitive information by bypassing authorization checks. The vulnerability affects WordPress sites running the vulnerable plugin and could allow unauthorized disclosure of job-related data. No patch is currently available.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25392 MEDIUM This Month

The Update URLs WordPress plugin through version 1.4.0 contains an open redirect vulnerability that allows unauthenticated attackers to craft malicious links redirecting users to arbitrary external sites, enabling phishing attacks. The vulnerability requires user interaction to click a crafted link but has no patch currently available. Affected WordPress sites using this plugin should upgrade or disable it immediately.

WordPress Open Redirect
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-25391 MEDIUM This Month

WP Wand AI Content Generation plugin for WordPress versions up to 1.3.07 contains an authorization bypass that allows authenticated users to modify or disable plugin functionality through improper access control enforcement. An attacker with user-level credentials can exploit this vulnerability to cause service disruption or data integrity issues. No patch is currently available.

Authentication Bypass WordPress AI / ML
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25384 MEDIUM This Month

WP-Lister Lite for eBay through version 3.8.5 contains a missing authorization vulnerability allowing unauthenticated remote attackers to bypass access controls and gain unauthorized information disclosure. The improper access control configuration enables attackers to exploit the plugin's functionality without proper authentication or permissions. No patch is currently available for affected WordPress installations.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25375 MEDIUM This Month

WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite is affected by missing authorization (CVSS 4.3).

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25343 MEDIUM This Month

DOM-based cross-site scripting in VeronaLabs WP SMS plugin version 7.1 and earlier for WordPress allows authenticated attackers with high privileges to execute arbitrary JavaScript in users' browsers through improper input handling. An attacker could exploit this vulnerability to steal session cookies, perform unauthorized actions on behalf of users, or deface web pages. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-25331 MEDIUM This Month

Melapress WP Activity Log wp-security-audit-log is affected by cross-site scripting (xss) (CVSS 6.5).

WordPress XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25325 MEDIUM This Month

The rtMedia plugin for WordPress versions up to 4.7.8 exposes sensitive system information through an information disclosure vulnerability that allows unauthenticated remote attackers to retrieve embedded data. This vulnerability affects WordPress installations using rtMedia with BuddyPress and bbPress extensions, potentially exposing confidential system details to unauthorized users. No patch is currently available for this medium-severity issue.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25318 MEDIUM This Month

Wisernotify team WiserReview Product Reviews for WooCommerce wiser-review is affected by missing authorization (CVSS 4.3).

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25314 MEDIUM This Month

WP Messiah TOP Table Of Contents top-table-of-contents is affected by missing authorization (CVSS 4.3).

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-24999 MEDIUM This Month

The Alma payment gateway plugin for WooCommerce versions up to 5.16.1 contains an authorization bypass that allows unauthenticated attackers to modify data through improper access control enforcement. WordPress sites using this plugin are at risk of unauthorized changes to payment-related settings or configurations. A patch is not currently available, making immediate mitigation through plugin disabling or version control necessary.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24375 MEDIUM This Month

WP Swings Ultimate Gift Cards For WooCommerce woo-gift-cards-lite is affected by missing authorization (CVSS 5.3).

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22333 HIGH This Week

YITHEMES YITH WooCommerce Compare yith-woocommerce-compare is affected by deserialization of untrusted data (CVSS 7.2).

WordPress Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-2504 MEDIUM This Month

The Dealia - Request a quote WordPress plugin fails to properly validate user permissions on AJAX endpoints, allowing authenticated users with Contributor-level access or higher to reset plugin configuration by exploiting an exposed admin nonce. An attacker with basic edit_posts capability can bypass the capability check and modify critical plugin settings without administrative privileges. The vulnerability affects all versions up to 1.0.6 and currently has no available patch.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2502 MEDIUM This Month

Stored cross-site scripting in the WordPress XML-RPC Attacks Blocker plugin up to version 1.0 allows unauthenticated attackers to inject malicious scripts via the X-Forwarded-For HTTP header, which are then executed when administrators access the debug log page. The vulnerability stems from improper handling of untrusted header data without output escaping. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-2284 MEDIUM This Month

Complete data destruction in WordPress via the News Element Elementor Blog Magazine plugin (versions up to 1.0.8) due to insufficient authorization checks on an AJAX function, allowing authenticated users with Subscriber-level privileges to truncate core database tables and delete the uploads directory. The vulnerability requires user authentication but no additional interaction, making it exploitable by any low-privileged WordPress user with no patch currently available.

WordPress
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-2282 MEDIUM This Month

Stored XSS in WordPress Slidorion plugin through version 1.0.2 allows administrators to inject malicious scripts via insufficiently sanitized settings that execute when other users view affected pages. The vulnerability requires high privileges and only manifests in multisite WordPress installations or those with unfiltered HTML disabled. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in the WordPress Custom Logo plugin through version 2.2 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users. This affects multi-site WordPress installations and single-site setups where unfiltered_html is disabled, requiring high-privilege attacker access but enabling persistent script injection across affected pages.

WordPress Golang XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in WP Social Meta plugin through 1.0.1 allows authenticated administrators to inject malicious scripts into WordPress admin settings that execute for all users viewing affected pages, impacting multi-site installations and configurations with disabled unfiltered_html. The vulnerability requires high administrative privileges and complex exploitation conditions, making practical attacks unlikely despite network accessibility.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

The TP2WP Importer plugin for WordPress contains a stored cross-site scripting vulnerability in the attachment importer settings that allows authenticated administrators to inject malicious scripts through the 'Watched domains' textarea due to inadequate input sanitization and output escaping. When other users access the affected settings page, the injected scripts execute in their browsers, potentially allowing administrators to perform unauthorized actions or steal sensitive data. The vulnerability affects all versions up to and including 1.1 with no patch currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Livemesh Addons for Beaver Builder (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
EPSS 0% CVSS 7.7
HIGH This Week

Arbitrary command execution in WPGraphQL's GitHub Actions workflow allows attackers with pull request creation privileges to inject shell commands through unvalidated pull request body content, potentially compromising the build environment and repository integrity. The vulnerability affects WPGraphQL versions prior to 2.9.1 and requires low privileges and user interaction to exploit. No patch is currently available for affected deployments.

WordPress Github Command Injection
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

Unauthenticated attackers can exploit a path traversal vulnerability in WP Responsive Images plugin for WordPress (all versions up to 1.0) through the 'src' parameter to read arbitrary files from the server. This allows unauthorized access to sensitive information stored on affected WordPress installations. No patch is currently available.

WordPress Path Traversal
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The Events Calendar plugin for WordPress through version 6.15.16 fails to properly validate user capabilities in REST API endpoints, allowing authenticated contributors and higher-privileged users to modify or delete events, organizers, and venues without proper authorization. This capability check bypass affects all installations with the vulnerable plugin version and enables authenticated attackers with lower-level access to cause data integrity issues and service disruption. No patch is currently available for this medium-severity vulnerability.

WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Disable Admin Notices - Hide Dashboard Notifications WordPress plugin up to version 1.4.2 lacks proper CSRF protection in its `showPageContent()` function, allowing unauthenticated attackers to inject arbitrary URLs into the blocked redirects list by tricking site administrators into clicking a malicious link. This could enable an attacker to redirect site traffic or manipulate administrator settings without explicit authorization. No patch is currently available for this medium-severity vulnerability.

WordPress CSRF
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Secure Copy Content Protection and Content Locking (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Protected post metadata injection in Post Duplicator plugin for WordPress allows authenticated contributors and higher-privileged users to arbitrarily set sensitive meta keys like _wp_page_template on duplicated posts by bypassing WordPress's standard metadata protection mechanisms. The vulnerability exists in versions up to 3.0.8 due to direct database insertion instead of using WordPress's protected metadata validation function. Attackers can exploit this through the customMetaData parameter in the REST API endpoint to manipulate post properties and potentially compromise site functionality.

WordPress PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

WP Recipe Maker (WordPress plugin) is affected by authorization bypass through user-controlled key (CVSS 4.3).

WordPress PHP
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

Authenticated WordPress users with Author-level or higher privileges can exploit a Server-Side Request Forgery vulnerability in the Responsive Lightbox & Gallery plugin (versions up to 2.7.1) due to improper hostname validation in the image upload function. This allows attackers to send arbitrary web requests from the vulnerable server to internal services, potentially exposing or modifying sensitive information within the network. The vulnerability affects all versions up to 2.7.1 with no patch currently available.

WordPress SSRF
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

Unauthenticated attackers can execute SQL injection attacks against WordPress sites running Geo Mashup plugin versions up to 1.13.17 by manipulating the 'sort' parameter, allowing unauthorized database access and extraction of sensitive information. The vulnerability stems from inadequate input validation and query preparation in the plugin code. No patch is currently available, leaving affected installations at risk until an update is released.

WordPress SQLi
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in Advanced Woo Labels plugin for WordPress through version 2.37 allows authenticated users with Contributor access or higher to execute arbitrary PHP functions and system commands via an unsanitized callback parameter in an AJAX handler. The vulnerability stems from improper use of call_user_func_array() without adequate input validation or capability restrictions. No patch is currently available for this high-severity flaw affecting WordPress environments.

WordPress PHP RCE
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can forge authentication tokens in the WPGSI: Spreadsheet Integration plugin for WordPress (versions up to 3.8.3) due to missing capability checks and weak token validation that relies only on Base64-encoded, unsigned user data. This allows remote attackers to create, modify, and delete arbitrary WordPress posts and pages without authentication. No patch is currently available.

WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in Rise Blocks WordPress plugin versions up to 3.7 allows authenticated contributors and above to inject malicious scripts into pages through the logoTag Site Identity block attribute due to inadequate input sanitization. The injected scripts execute in the browsers of all users who access the compromised pages, potentially leading to credential theft, session hijacking, or malware distribution. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Responsive Lightbox & Gallery WordPress plugin before 2.6.1 is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments are enabled and then approved. [CVSS 8.8 HIGH]

WordPress PHP
NVD WPScan
EPSS 0%
This Week

Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions.

WordPress PHP CSRF
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Critical vulnerability in ElementsKit Elementor Addons WordPress plugin allows unauthenticated access to critical functions. CVSS 10.0 affecting a widely-used WordPress plugin with 1M+ installations.

WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can manipulate email routing and redirection in The Plus Addons for Elementor plugin for WordPress versions up to 6.4.7 by tampering with the 'email_data' parameter in an AJAX handler that lacks proper cryptographic verification. This allows attackers to trigger unauthorized email relay and redirect users to attacker-controlled sites without authentication. No patch is currently available for this medium-severity vulnerability.

WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Conditional CAPTCHA WordPre versions up to 4.0.0 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).

WordPress Open Redirect
NVD WPScan
EPSS 0% CVSS 4.8
MEDIUM This Month

Unauthenticated attackers can delete migrated courses in WordPress sites running LearnPress Export Import versions up to 4.1.0 due to missing capability checks in the data deletion function, provided Tutor LMS is also installed. This allows unauthorized data loss with low complexity exploitation requiring network access. No patch is currently available for this medium-severity vulnerability.

WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. [CVSS 6.5 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization controls in the tychesoftwares Print Invoice & Delivery Notes plugin for WooCommerce (versions up to 5.8.0) allow unauthenticated attackers to manipulate access control settings and modify invoice or delivery note data. The vulnerability affects WordPress sites running this plugin and could result in unauthorized data modification. A patch is not currently available.

WordPress
NVD
EPSS 0% CVSS 7.5
HIGH This Week

WP Job Portal versions 2.4.4 and earlier contain an authorization bypass flaw that allows unauthenticated attackers to access sensitive information by exploiting improperly configured access controls. An attacker can remotely exploit this vulnerability without user interaction to gain unauthorized visibility into restricted data. No patch is currently available for this vulnerability.

WordPress
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by authorization bypass through user-controlled key (CVSS 5.4).

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by php remote file inclusion (CVSS 8.1).

WordPress PHP LFI
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Dotstore Woocommerce Category Banner Management banner-management-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).

WordPress Deserialization
NVD
EPSS 0% CVSS 7.1
HIGH This Week

PersianScript Persian Woocommerce SMS persian-woocommerce-sms is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS
NVD
EPSS 0% CVSS 7.1
HIGH This Week

realvirtualmx RVCFDI para Woocommerce rvcfdi-para-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify is affected by missing authorization (CVSS 6.5).

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 7.1
HIGH This Week

vanquish WooCommerce Bulk Product Editor woocommerce-quick-product-editor is affected by missing authorization (CVSS 7.1).

WordPress PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 7.5 HIGH]

WordPress Path Traversal PHP
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 8.6 HIGH]

WordPress Path Traversal PHP
NVD
EPSS 0% CVSS 7.2
HIGH This Week

XforWooCommerce Product Filter for WooCommerce prdctfltr contains a security vulnerability (CVSS 7.3).

WordPress Privilege Escalation
NVD
EPSS 0% CVSS 7.7
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 7.7 HIGH]

WordPress Path Traversal PHP
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 8.6 HIGH]

WordPress Path Traversal PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Portfolio Builder swp-portfolio allows PHP Local File Inclusion.This issue affects Portfolio Builder: from n/a through <= 1.2.5. [CVSS 8.1 HIGH]

WordPress PHP LFI
NVD
EPSS 0% CVSS 7.1
HIGH This Week

GT3themes SOHO - Photography WordPress Theme soho is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

GT3themes Oyster - Photography WordPress Theme oyster is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 8.8
HIGH This Week

magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).

WordPress Deserialization PHP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

primersoftware Primer MyData for Woocommerce primer-mydata contains a security vulnerability (CVSS 5.3).

WordPress Path Traversal PHP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Reflected XSS.This issue affects Slimstat Analytics: from n/a through <= 5.3.2. [CVSS 7.1 HIGH]

WordPress Industrial XSS +1
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Bas Schuiling FeedWordPress Advanced Filters faf is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing Authorization vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ELEX WordPress HelpDesk & Customer Ticketing System: from n/a through <= 3.3.5. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Missing Authorization vulnerability in Saiful Islam Sync Master Sheet &#8211; Product Sync with Google Sheet for WooCommerce product-sync-master-sheet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sync Master Sheet &#8211; Product Sync with Google Sheet for WooCommerce: from n/a through <= 1.1.3.

WordPress Authentication Bypass Google
NVD
EPSS 0% CVSS 7.5
HIGH This Week

WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product is affected by php remote file inclusion (CVSS 6.3).

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Unrestricted file upload in Wiguard (wiguard) WordPress theme allows uploading web shells for remote code execution.

WordPress PHP RCE
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Mollie Mollie Payments for WooCommerce mollie-payments-for-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass Google
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart is affected by missing authorization (CVSS 6.5).

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing Authorization vulnerability in Addonify Addonify - WooCommerce Wishlist addonify-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify - WooCommerce Wishlist: from n/a through <= 2.0.15. [CVSS 6.5 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing Authorization vulnerability in Addonify Addonify &#8211; Compare Products For WooCommerce addonify-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify &#8211; Compare Products For WooCommerce: from n/a through <= 1.1.17. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 7.3
HIGH This Week

soporteblue Plugin BlueX for WooCommerce bluex-for-woocommerce is affected by missing authorization (CVSS 6.3).

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 7.1
HIGH This Week

vanquish User Extra Fields wp-user-extra-fields is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

knitpay UPI QR Code Payment Gateway for WooCommerce upi-qr-code-payment-for-woocommerce is affected by missing authorization (CVSS 6.5).

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Wizard Cloak wp-wizard-cloak allows Reflected XSS.This issue affects WP Wizard Cloak: from n/a through <= 1.0.1. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in Master Addons For Elementor plugin (WordPress versions up to 2.1.1) allows authenticated contributors and above to inject malicious scripts into pages through the 'ma_el_bh_table_btn_text' parameter due to insufficient input sanitization. When other users access affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Survey Maker WordPress plugin through version 5.1.7.7 is vulnerable to reflected cross-site scripting (XSS) that requires user interaction to exploit. An attacker can craft a malicious link to inject arbitrary JavaScript into a victim's browser session, potentially allowing credential theft or malicious actions within WordPress. No patch is currently available, leaving affected installations at risk.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Quiz Maker plugin for WordPress versions up to 6.7.1.7 allows authenticated contributors and higher-privileged users to inject persistent JavaScript through the `vc_quizmaker` shortcode due to inadequate input validation, enabling malicious script execution in pages viewed by other users. The vulnerability requires WPBakery Page Builder to be active and has no available patch. An attacker with contributor access can deface content or steal sensitive information from site visitors.

WordPress XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authenticated users can modify email configurations in YayMail for WooCommerce through version 4.3.2 due to missing authorization checks on access control settings. An attacker with low-level WordPress user privileges could alter email templates or settings without proper permissions. No patch is currently available for this vulnerability.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Product Table and List Builder for WooCommerce Lite (WordPress plugin) is affected by sql injection (CVSS 7.5).

WordPress SQLi
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

Unauthenticated attackers can exploit time-based SQL injection in wpForo Forum plugin for WordPress versions up to 2.4.14 through the 'wpfob' parameter to extract sensitive database information. The vulnerability stems from insufficient input sanitization and improper SQL query preparation, allowing attackers to inject arbitrary SQL commands without authentication. No patch is currently available.

WordPress SQLi
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Dealia - Request a Quote WordPress plugin through version 1.0.6 allows authenticated contributors and above to inject malicious scripts into pages via improperly escaped Gutenberg block attributes. An attacker with contributor-level access can embed arbitrary JavaScript that executes when users view the affected pages, potentially compromising user sessions and data. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in the Client Testimonial Slider WordPress plugin through version 2.0 allows administrators to inject malicious scripts into the 'Testimonial Heading' setting due to inadequate input sanitization. The injected scripts execute when users view affected pages, impacting multi-site WordPress installations or sites with unfiltered_html disabled. Currently no patch is available.

WordPress XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Simple Membership (WordPress plugin) versions up to 4.7.0 contains a security vulnerability (CVSS 6.5).

WordPress React
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Radio by Sonaar versions up to 4.0 is affected by authorization bypass through user-controlled key (CVSS 5.3).

WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce is affected by missing authorization (CVSS 5.3).

WordPress Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer is affected by php remote file inclusion (CVSS 7.5).

WordPress PHP LFI +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

The WP-CORS WordPress plugin through version 0.2.2 contains an authorization bypass that allows authenticated users to modify content due to improperly configured access controls. An attacker with valid WordPress credentials could exploit this to make unauthorized changes to website data. No patch is currently available for this vulnerability.

WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

crgeary JAMstack Deployments wp-jamstack-deployments is affected by missing authorization (CVSS 4.3).

WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper access control in WP Job Manager through version 2.4.0 permits unauthenticated attackers to access sensitive information by bypassing authorization checks. The vulnerability affects WordPress sites running the vulnerable plugin and could allow unauthorized disclosure of job-related data. No patch is currently available.

WordPress
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

The Update URLs WordPress plugin through version 1.4.0 contains an open redirect vulnerability that allows unauthenticated attackers to craft malicious links redirecting users to arbitrary external sites, enabling phishing attacks. The vulnerability requires user interaction to click a crafted link but has no patch currently available. Affected WordPress sites using this plugin should upgrade or disable it immediately.

WordPress Open Redirect
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

WP Wand AI Content Generation plugin for WordPress versions up to 1.3.07 contains an authorization bypass that allows authenticated users to modify or disable plugin functionality through improper access control enforcement. An attacker with user-level credentials can exploit this vulnerability to cause service disruption or data integrity issues. No patch is currently available.

Authentication Bypass WordPress AI / ML
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

WP-Lister Lite for eBay through version 3.8.5 contains a missing authorization vulnerability allowing unauthenticated remote attackers to bypass access controls and gain unauthorized information disclosure. The improper access control configuration enables attackers to exploit the plugin's functionality without proper authentication or permissions. No patch is currently available for affected WordPress installations.

WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite is affected by missing authorization (CVSS 4.3).

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

DOM-based cross-site scripting in VeronaLabs WP SMS plugin version 7.1 and earlier for WordPress allows authenticated attackers with high privileges to execute arbitrary JavaScript in users' browsers through improper input handling. An attacker could exploit this vulnerability to steal session cookies, perform unauthorized actions on behalf of users, or deface web pages. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Melapress WP Activity Log wp-security-audit-log is affected by cross-site scripting (xss) (CVSS 6.5).

WordPress XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The rtMedia plugin for WordPress versions up to 4.7.8 exposes sensitive system information through an information disclosure vulnerability that allows unauthenticated remote attackers to retrieve embedded data. This vulnerability affects WordPress installations using rtMedia with BuddyPress and bbPress extensions, potentially exposing confidential system details to unauthorized users. No patch is currently available for this medium-severity issue.

WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Wisernotify team WiserReview Product Reviews for WooCommerce wiser-review is affected by missing authorization (CVSS 4.3).

WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

WP Messiah TOP Table Of Contents top-table-of-contents is affected by missing authorization (CVSS 4.3).

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Alma payment gateway plugin for WooCommerce versions up to 5.16.1 contains an authorization bypass that allows unauthenticated attackers to modify data through improper access control enforcement. WordPress sites using this plugin are at risk of unauthorized changes to payment-related settings or configurations. A patch is not currently available, making immediate mitigation through plugin disabling or version control necessary.

WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

WP Swings Ultimate Gift Cards For WooCommerce woo-gift-cards-lite is affected by missing authorization (CVSS 5.3).

WordPress
NVD
EPSS 0% CVSS 7.2
HIGH This Week

YITHEMES YITH WooCommerce Compare yith-woocommerce-compare is affected by deserialization of untrusted data (CVSS 7.2).

WordPress Deserialization
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Dealia - Request a quote WordPress plugin fails to properly validate user permissions on AJAX endpoints, allowing authenticated users with Contributor-level access or higher to reset plugin configuration by exploiting an exposed admin nonce. An attacker with basic edit_posts capability can bypass the capability check and modify critical plugin settings without administrative privileges. The vulnerability affects all versions up to 1.0.6 and currently has no available patch.

WordPress PHP Authentication Bypass
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Stored cross-site scripting in the WordPress XML-RPC Attacks Blocker plugin up to version 1.0 allows unauthenticated attackers to inject malicious scripts via the X-Forwarded-For HTTP header, which are then executed when administrators access the debug log page. The vulnerability stems from improper handling of untrusted header data without output escaping. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Complete data destruction in WordPress via the News Element Elementor Blog Magazine plugin (versions up to 1.0.8) due to insufficient authorization checks on an AJAX function, allowing authenticated users with Subscriber-level privileges to truncate core database tables and delete the uploads directory. The vulnerability requires user authentication but no additional interaction, making it exploitable by any low-privileged WordPress user with no patch currently available.

WordPress
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in WordPress Slidorion plugin through version 1.0.2 allows administrators to inject malicious scripts via insufficiently sanitized settings that execute when other users view affected pages. The vulnerability requires high privileges and only manifests in multisite WordPress installations or those with unfiltered HTML disabled. No patch is currently available.

WordPress XSS
NVD
Prev Page 24 of 194 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy