Skip to main content

WordPress

17382 CVEs vendor

Monthly

CVE-2026-1994 CRITICAL Act Now

Privilege escalation via account takeover in s2Member WordPress plugin <= 260127. Broken authentication allows taking over any user account.

WordPress Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-1646 MEDIUM This Month

Stored cross-site scripting in the Advance Block Extend WordPress plugin versions up to 1.0.4 allows authenticated contributors and above to inject malicious scripts through the TitleColor attribute in the Latest Posts block, which execute in the browsers of users viewing affected pages. The vulnerability stems from inadequate input sanitization and output escaping, enabling persistent payload injection. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1455 MEDIUM This Month

Whatsiplus Scheduled Notification for Woocommerce (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1405 CRITICAL POC Act Now

Arbitrary file upload in Slider Future WordPress plugin.

WordPress RCE
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-1373 MEDIUM This Month

Stored XSS in WordPress Easy Author Image plugin up to version 1.7 allows authenticated subscribers and above to inject malicious scripts through the author_profile_picture_url parameter due to inadequate input sanitization. Attackers can embed arbitrary JavaScript that executes when other users view affected pages, potentially compromising user sessions and data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1055 MEDIUM This Month

Stored XSS in the TalkJS WordPress plugin through version 0.1.15 permits high-privilege administrators to inject malicious scripts into admin settings that execute for all users viewing affected pages, restricted to multisite installations or those with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in the plugin's settings handling. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1047 MEDIUM This Month

Stored XSS in the Salavat Counter WordPress plugin up to version 0.9.5 allows authenticated administrators to inject malicious scripts through the 'image_url' parameter due to inadequate input sanitization and output escaping. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising site integrity and user sessions. A patch is not currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1044 MEDIUM This Month

Stored cross-site scripting in Tennis Court Bookings plugin for WordPress through version 1.2.7 allows administrators to inject malicious scripts into admin settings that execute when other users access affected pages. The vulnerability requires high privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1043 MEDIUM This Month

PostmarkApp Email Integrator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0974 HIGH This Week

The Orderable WordPress plugin through version 1.20.0 fails to properly verify user permissions on plugin installation functions, enabling authenticated subscribers to install malicious plugins and achieve remote code execution. An attacker with minimal WordPress account privileges can exploit this capability check bypass to gain full server compromise without administrator credentials. No patch is currently available for this vulnerability (CVSS 8.8).

WordPress RCE Authentication Bypass
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-0926 CRITICAL POC Act Now

Local File Inclusion in Prodigy Commerce WordPress plugin <= 3.2.9.

WordPress PHP LFI Information Disclosure RCE
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-0912 HIGH This Week

Privilege escalation in WordPress Toret Manager plugin through version 1.2.7 allows authenticated subscribers to modify arbitrary site options due to missing capability checks in the trman_save_option functions. An attacker can exploit this to change the default registration role to administrator and enable user registration, granting themselves admin access to the vulnerable site. No patch is currently available.

WordPress Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-0722 MEDIUM This Month

The Shield Security plugin for WordPress versions up to 21.0.8 contains a CSRF vulnerability that allows attackers to bypass nonce verification through a manipulated parameter, enabling SQL injection attacks to extract database contents. An unauthenticated attacker can exploit this by tricking a site administrator into clicking a malicious link, potentially compromising sensitive information stored in the WordPress database. No patch is currently available for affected installations.

WordPress SQLi CSRF
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-0561 MEDIUM This Month

Shield Security plugin for WordPress versions up to 21.0.8 contains a reflected XSS vulnerability in the 'message' parameter that allows unauthenticated attackers to inject malicious scripts through specially crafted links. Successful exploitation requires tricking users into clicking a malicious link, resulting in execution of arbitrary JavaScript in their browser context. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-0556 MEDIUM This Month

Stored XSS in the XO Event Calendar WordPress plugin through version 3.2.10 allows authenticated contributors and above to inject malicious scripts into pages via the 'xo_event_field' shortcode due to improper input sanitization. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0549 MEDIUM This Month

Stored XSS in WordPress Groups plugin through the 'groups_group_info' shortcode allows authenticated contributors and higher-privileged users to inject malicious scripts into pages via inadequate input validation. When other users access the compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking or account compromise. No patch is currently available for versions up to 3.10.0.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-4521 HIGH This Week

The IDonate - Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2.1.5 to 2.1.9. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-15041 HIGH This Week

The BackWPup - WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and including, 5.6.2. [CVSS 7.2 HIGH]

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-14983 MEDIUM This Month

The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-14864 MEDIUM This Month

The Virusdie - One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This is due to missing capability checks on the `vd_get_apikey` function which is hooked to `wp_ajax_virusdie_apikey`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve the site's Virusdie API key, which could be used to access the site owner's Virusdie account and potentially compromis...

WordPress Information Disclosure PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14851 MEDIUM This Month

The YaMaps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `yamap` shortcode parameters in all versions up to, and including, 0.6.40 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14452 HIGH This Week

The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3_fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-14445 MEDIUM This Month

The Image Hotspot by DevVN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hotspot_content' custom field meta in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14427 MEDIUM This Month

The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `MfaEmailDisable` action in all versions up to, and including, 21.0.9. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14357 MEDIUM This Month

The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14342 MEDIUM This Month

SEO Plugin by Squirrly SEO (WordPress plugin) versions up to 12.4.14. is affected by missing authorization (CVSS 4.3).

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14294 MEDIUM This Month

The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or...

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14270 LOW Monitor

OneClick Chat to Order (WordPress plugin) versions up to 1.0.9. is affected by missing authorization (CVSS 2.7).

WordPress PHP
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2025-14167 MEDIUM This Month

The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR (||) instead of AND (&&), causing the validation to fail when the nonce field is not empty OR when verification fails, rather than when it's empty AND verification fails. This makes it possible for unauthenticated attackers to modify the plugin's post type slug removal settings via a forged request ...

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14076 MEDIUM This Month

The iXML - Google XML sitemap generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'iXML_email' parameter in all versions up to, and including, 0.6 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-13930 MEDIUM This Month

The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13864 MEDIUM This Month

The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request,...

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13851 CRITICAL Act Now

Privilege escalation via registration in Buyent Classified WordPress plugin.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-13842 MEDIUM This Month

The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $_REQUEST['post_id'] parameter without verification in the includes/blocks/build/breadcrumb-trail/render.php file. This makes it possible for unauthenticated attackers to enumerate and view breadcrumb trails for draft or private posts by manipulating the post_id parameter, revealing post titl...

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13738 MEDIUM This Month

The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13732 MEDIUM This Month

The s2Member - Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2Eot' shortcode in all versions up to, and including, 251005 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13617 MEDIUM This Month

Apollo13 Framework Extensions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13612 MEDIUM This Month

Album and Image Gallery plus Lightbox (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13603 HIGH This Week

WP AUDIO GALLERY (WordPress plugin) versions up to 2.0. is affected by missing authorization (CVSS 8.8).

WordPress PHP
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-13587 MEDIUM This Month

The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-13563 CRITICAL Act Now

Privilege escalation in Lizza LMS Pro WordPress plugin <= 1.0.3.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-13438 MEDIUM This Month

The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on multiple AJAX actions including dieno_update_page_title. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13413 MEDIUM This Month

Country Blocker for AdSense (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13113 MEDIUM This Month

The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11. This is due to the `accessibe_render_js_in_footer()` function logging the complete plugin options array to the browser console on public pages, without restricting output to privileged users or checking for debug mode. This makes it possible for unauthenticated attackers to view sensitive configuration data, including email addresses, accessiBe us...

WordPress Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13091 MEDIUM This Month

The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire_admin_install_plugin() function in all versions up to, and including, 1.0.57. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13079 MEDIUM This Month

mobile friendly marketing popups. versions up to 4.4.2. contains a security vulnerability (CVSS 5.3).

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13048 MEDIUM This Month

The StatCounter - Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12975 HIGH This Week

The CTX Feed - WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing() function in all versions up to, and including, 6.6.11. [CVSS 7.2 HIGH]

WordPress RCE PHP
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-12884 MEDIUM This Month

The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `placement_update_item()` function. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12882 CRITICAL Act Now

Privilege escalation in Clasifico Listing WordPress plugin <= 2.0.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-12845 HIGH This Week

The Tablesome Table - Contact Form DB - WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to 1.2.1. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-12821 HIGH This Week

The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. [CVSS 8.8 HIGH]

WordPress RCE CSRF PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-12707 HIGH This Week

The Library Management System plugin for WordPress is vulnerable to SQL Injection via the 'bid' parameter in all versions up to, and including, 3.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]

WordPress SQLi PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-12500 MEDIUM This Month

The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the plugin not properly verifying that a user is authorized to perform file upload actions via the "ajax_checkout_attachment_upload" function. This makes it possible for unauthenticated attackers to upload files to the server, though file types are limited to WordPress's default allowed MIME types (i...

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-12451 MEDIUM This Month

The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 4.0 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-12448 MEDIUM This Month

The Smartsupp - live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS AI / ML PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12375 MEDIUM This Month

The Printful Integration for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.11 via the advanced size chart REST API endpoint. This is due to insufficient validation of user-supplied URLs before passing them to the download_url() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application which can b...

WordPress SSRF PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12172 MEDIUM This Month

Mailchimp List Subscribe Form (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12117 MEDIUM This Month

The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12116 MEDIUM This Month

The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12081 MEDIUM This Month

The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acf_photo_gallery_edit_save" function in all versions up to, and including, 3.0. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12027 MEDIUM This Month

The Mesmerize Companion plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the "openPageInCustomizer" and "openPageInDefaultEditor" functions in all versions up to, and including, 1.6.158. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-11754 HIGH This Week

The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. [CVSS 7.5 HIGH]

WordPress PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-11725 MEDIUM This Month

Aruba HiSpeed Cache (WordPress plugin) versions up to 3.0.2. is affected by missing authorization (CVSS 6.5).

WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-11706 MEDIUM This Month

The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the dbstatus parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-2230 MEDIUM This Month

The Booking Calendar plugin for WordPress through version 10.14.14 contains an insecure direct object reference in the handle_ajax_save function that fails to validate user-controlled input, allowing authenticated subscribers and above with booking permissions to modify other users' plugin settings and disrupt their booking calendar functionality. This vulnerability requires valid WordPress credentials but poses a direct threat to multi-user WordPress installations where booking functionality is delegated across accounts.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1426 HIGH This Week

PHP Object Injection in the Advanced AJAX Product Filters plugin for WordPress (versions up to 3.1.9.6) allows authenticated authors and above to deserialize malicious objects through the Live Composer compatibility layer. While the plugin itself lacks a gadget chain for exploitation, the vulnerability can enable arbitrary file deletion, data theft, or remote code execution if a POP chain exists in installed themes or plugins. No patch is currently available, and exploitation requires valid WordPress user credentials.

WordPress PHP Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-1404 MEDIUM This Month

The Ultimate Member WordPress plugin through version 2.11.1 contains a reflected XSS vulnerability in filter parameters that lack proper input sanitization and output escaping. Unauthenticated attackers can inject malicious scripts into pages by crafting malicious links and convincing users to click them. Successful exploitation results in arbitrary JavaScript execution in the context of the affected user's browser session.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-2386 MEDIUM This Month

The Plus Addons for Elementor plugin for WordPress fails to validate post-type-specific permissions in its AJAX handler, allowing authenticated authors and above to create draft posts for restricted post types like pages and custom post types. An attacker with author-level access can bypass capability checks by directly specifying arbitrary post types, potentially enabling unauthorized content creation or manipulation of restricted content areas.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1582 LOW Monitor

The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison (==) instead of strict comparison (===). This makes it possible for unauthenticated attackers to bypass authentication using "magic hash" values when the expected MD5 hash prefix happens to be numeric-looking (matching pa...

WordPress PHP Authentication Bypass Information Disclosure
NVD
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-1317 MEDIUM This Month

SQL injection in the WP Import - Ultimate CSV Importer plugin for WordPress (versions up to 7.37) allows authenticated subscribers and higher-privileged users to inject malicious SQL commands through specially crafted filenames during file uploads. When the Single Import/Export feature is enabled on PHP versions below 8.0, attackers can extract sensitive database information by exploiting insufficient input validation. The vulnerability requires valid WordPress credentials but poses a medium risk due to its direct access to database contents.

WordPress PHP SQLi
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-8781 MEDIUM This Month

The Bookster - WordPress Appointment Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘raw’ parameter in all versions up to, and including, 2.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 4.9 MEDIUM]

WordPress SQLi PHP
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-14799 MEDIUM This Month

The Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress is vulnerable to authorization bypass due to type juggling in all versions up to, and including, 3.3.0. This is due to the use of loose comparison (==) instead of strict comparison (===) when validating the installation ID in the `/wp-json/mailin/v1/mailin_disconnect` REST API endpoint. This makes it possible for unauthenticated attackers to disconnect the Brevo integration, delete the API key, remove all subscription form...

WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2426 MEDIUM This Month

Arbitrary file deletion in WP-DownloadManager plugin versions up to 1.69 allows high-privileged WordPress administrators to bypass path validation and remove critical system files through directory traversal in the file deletion parameter. Deletion of essential files like wp-config.php can result in remote code execution or complete site compromise. No patch is currently available.

WordPress PHP RCE Path Traversal
NVD GitHub
CVSS 3.1
6.5
EPSS
2.6%
CVE-2026-1942 MEDIUM This Month

Unauthorized post modification in Blog2Social plugin for WordPress versions up to 8.7.4 allows authenticated subscribers and higher-privileged users to alter arbitrary post and page content due to missing post-level permission checks in the curation draft AJAX handler. An attacker can exploit this by providing a target post ID to overwrite titles and content across the site without proper authorization.

WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14444 MEDIUM This Month

The RegistrationMagic - Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to payment bypass due to insufficient verification of data authenticity on the 'process_paypal_sdk_payment' function in all versions up to, and including, 6.0.6.9. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2126 MEDIUM This Month

Unauthenticated attackers can manipulate post category assignments in the WordPress User Submitted Posts plugin through missing authorization checks on user-supplied category IDs. This allows bypassing frontend category restrictions to assign posts to arbitrary or restricted categories via crafted POST requests. The vulnerability affects all versions up to 20260113 with no patch currently available.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13727 MEDIUM This Month

The Video Share VOD - Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-11185 MEDIUM This Month

The Complianz - GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cmplz-accept-link shortcode in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2495 HIGH This Week

Unauthenticated attackers can exploit SQL injection in the WPNakama WordPress plugin (versions up to 0.6.5) through the 'order' parameter in the REST API /wp-json/WPNakama/v1/boards endpoint due to insufficient input escaping. This allows unauthorized extraction of sensitive database information from any WordPress installation running the vulnerable plugin. No patch is currently available.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2127 MEDIUM This Month

Arbitrary shortcode execution in the SiteOrigin Widgets Bundle plugin for WordPress affects authenticated users with Subscriber access and above due to missing capability checks in an AJAX preview function. Attackers can exploit this vulnerability to execute arbitrary shortcodes when the Post Carousel widget is present, as the required nonce is publicly exposed in the page HTML. No patch is currently available.

WordPress
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1941 MEDIUM This Month

Stored cross-site scripting in WP Event Aggregator plugin through version 1.8.7 allows authenticated contributors and above to inject malicious scripts via the wp_events shortcode due to inadequate input sanitization. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially compromising user sessions and data. No patch is currently available, leaving affected WordPress installations vulnerable.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1656 MEDIUM This Month

Business Directory (WordPress plugin) versions up to 6.4.20. is affected by missing authorization (CVSS 5.3).

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-1649 MEDIUM This Month

Stored XSS in WordPress Community Events plugin through the 'ce_venue_name' parameter allows authenticated administrators to inject malicious scripts that execute for all users viewing affected pages. The vulnerability exists in versions up to 1.5.7 due to inadequate input sanitization and output escaping, with no patch currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2419 LOW Monitor

The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'download_path' configuration parameter. [CVSS 2.7 LOW]

WordPress Path Traversal
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-2112 MEDIUM This Month

Unauthenticated attackers can delete all pending comments in WordPress sites running the Dam Spam plugin up to version 1.0.8 by exploiting missing CSRF protections, requiring only that an administrator be tricked into clicking a malicious link. An attacker with this capability can disrupt comment moderation workflows and potentially suppress legitimate user feedback. No patch is currently available for this vulnerability.

WordPress CSRF
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1943 MEDIUM This Month

Stored XSS in YayMail plugin for WordPress (versions up to 4.3.2) allows authenticated Shop Manager-level users to inject malicious scripts through inadequately sanitized settings, affecting multi-site installations or those with disabled unfiltered_html. Attackers can execute arbitrary JavaScript in pages viewed by other users, though exploitation requires elevated privileges and specific WordPress configurations. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1938 MEDIUM This Month

Unauthorized license key deletion in the YayMail WooCommerce Email Customizer plugin (versions up to 4.3.2) stems from missing authorization checks on a REST API endpoint, allowing authenticated Shop Manager-level users to remove the plugin license if they can obtain the REST API nonce. This integrity violation affects WordPress installations running the vulnerable plugin and could disrupt email customization functionality.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1860 MEDIUM This Month

The Kali Forms WordPress plugin through version 2.4.8 allows authenticated contributors and higher-privileged users to read sensitive form data of other users via insecure direct object reference on the REST API, exposing form configurations, reCAPTCHA keys, email templates, and server paths. The vulnerability stems from insufficient permission validation that only checks for the generic `edit_posts` capability rather than verifying ownership of specific form resources. Attackers can exploit this through form ID enumeration without requiring any interaction or elevated privileges beyond basic authenticated access.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1831 LOW Monitor

YayMail - WooCommerce Email Customizer (WordPress plugin) is affected by missing authorization (CVSS 2.7).

WordPress
NVD
CVSS 3.1
2.7
EPSS
0.0%
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation via account takeover in s2Member WordPress plugin <= 260127. Broken authentication allows taking over any user account.

WordPress Privilege Escalation
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Advance Block Extend WordPress plugin versions up to 1.0.4 allows authenticated contributors and above to inject malicious scripts through the TitleColor attribute in the Latest Posts block, which execute in the browsers of users viewing affected pages. The vulnerability stems from inadequate input sanitization and output escaping, enabling persistent payload injection. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Whatsiplus Scheduled Notification for Woocommerce (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Arbitrary file upload in Slider Future WordPress plugin.

WordPress RCE
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WordPress Easy Author Image plugin up to version 1.7 allows authenticated subscribers and above to inject malicious scripts through the author_profile_picture_url parameter due to inadequate input sanitization. Attackers can embed arbitrary JavaScript that executes when other users view affected pages, potentially compromising user sessions and data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in the TalkJS WordPress plugin through version 0.1.15 permits high-privilege administrators to inject malicious scripts into admin settings that execute for all users viewing affected pages, restricted to multisite installations or those with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in the plugin's settings handling. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in the Salavat Counter WordPress plugin up to version 0.9.5 allows authenticated administrators to inject malicious scripts through the 'image_url' parameter due to inadequate input sanitization and output escaping. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising site integrity and user sessions. A patch is not currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored cross-site scripting in Tennis Court Bookings plugin for WordPress through version 1.2.7 allows administrators to inject malicious scripts into admin settings that execute when other users access affected pages. The vulnerability requires high privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

PostmarkApp Email Integrator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Orderable WordPress plugin through version 1.20.0 fails to properly verify user permissions on plugin installation functions, enabling authenticated subscribers to install malicious plugins and achieve remote code execution. An attacker with minimal WordPress account privileges can exploit this capability check bypass to gain full server compromise without administrator credentials. No patch is currently available for this vulnerability (CVSS 8.8).

WordPress RCE Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Local File Inclusion in Prodigy Commerce WordPress plugin <= 3.2.9.

WordPress PHP LFI +2
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in WordPress Toret Manager plugin through version 1.2.7 allows authenticated subscribers to modify arbitrary site options due to missing capability checks in the trman_save_option functions. An attacker can exploit this to change the default registration role to administrator and enable user registration, granting themselves admin access to the vulnerable site. No patch is currently available.

WordPress Privilege Escalation
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The Shield Security plugin for WordPress versions up to 21.0.8 contains a CSRF vulnerability that allows attackers to bypass nonce verification through a manipulated parameter, enabling SQL injection attacks to extract database contents. An unauthenticated attacker can exploit this by tricking a site administrator into clicking a malicious link, potentially compromising sensitive information stored in the WordPress database. No patch is currently available for affected installations.

WordPress SQLi CSRF
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Shield Security plugin for WordPress versions up to 21.0.8 contains a reflected XSS vulnerability in the 'message' parameter that allows unauthenticated attackers to inject malicious scripts through specially crafted links. Successful exploitation requires tricking users into clicking a malicious link, resulting in execution of arbitrary JavaScript in their browser context. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the XO Event Calendar WordPress plugin through version 3.2.10 allows authenticated contributors and above to inject malicious scripts into pages via the 'xo_event_field' shortcode due to improper input sanitization. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WordPress Groups plugin through the 'groups_group_info' shortcode allows authenticated contributors and higher-privileged users to inject malicious scripts into pages via inadequate input validation. When other users access the compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking or account compromise. No patch is currently available for versions up to 3.10.0.

WordPress XSS
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The IDonate - Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2.1.5 to 2.1.9. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The BackWPup - WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and including, 5.6.2. [CVSS 7.2 HIGH]

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Virusdie - One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This is due to missing capability checks on the `vd_get_apikey` function which is hooked to `wp_ajax_virusdie_apikey`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve the site's Virusdie API key, which could be used to access the site owner's Virusdie account and potentially compromis...

WordPress Information Disclosure PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The YaMaps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `yamap` shortcode parameters in all versions up to, and including, 0.6.40 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3_fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Image Hotspot by DevVN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hotspot_content' custom field meta in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `MfaEmailDisable` action in all versions up to, and including, 21.0.9. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

SEO Plugin by Squirrly SEO (WordPress plugin) versions up to 12.4.14. is affected by missing authorization (CVSS 4.3).

WordPress PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or...

WordPress PHP
NVD
EPSS 0% CVSS 2.7
LOW Monitor

OneClick Chat to Order (WordPress plugin) versions up to 1.0.9. is affected by missing authorization (CVSS 2.7).

WordPress PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR (||) instead of AND (&&), causing the validation to fail when the nonce field is not empty OR when verification fails, rather than when it's empty AND verification fails. This makes it possible for unauthenticated attackers to modify the plugin's post type slug removal settings via a forged request ...

WordPress CSRF PHP
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The iXML - Google XML sitemap generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'iXML_email' parameter in all versions up to, and including, 0.6 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request,...

WordPress PHP
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation via registration in Buyent Classified WordPress plugin.

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $_REQUEST['post_id'] parameter without verification in the includes/blocks/build/breadcrumb-trail/render.php file. This makes it possible for unauthenticated attackers to enumerate and view breadcrumb trails for draft or private posts by manipulating the post_id parameter, revealing post titl...

WordPress PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The s2Member - Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2Eot' shortcode in all versions up to, and including, 251005 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Apollo13 Framework Extensions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Album and Image Gallery plus Lightbox (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
EPSS 0% CVSS 8.8
HIGH This Week

WP AUDIO GALLERY (WordPress plugin) versions up to 2.0. is affected by missing authorization (CVSS 8.8).

WordPress PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass PHP
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in Lizza LMS Pro WordPress plugin <= 1.0.3.

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on multiple AJAX actions including dieno_update_page_title. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Country Blocker for AdSense (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11. This is due to the `accessibe_render_js_in_footer()` function logging the complete plugin options array to the browser console on public pages, without restricting output to privileged users or checking for debug mode. This makes it possible for unauthenticated attackers to view sensitive configuration data, including email addresses, accessiBe us...

WordPress Information Disclosure PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire_admin_install_plugin() function in all versions up to, and including, 1.0.57. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

mobile friendly marketing popups. versions up to 4.4.2. contains a security vulnerability (CVSS 5.3).

WordPress PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The StatCounter - Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The CTX Feed - WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing() function in all versions up to, and including, 6.6.11. [CVSS 7.2 HIGH]

WordPress RCE PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `placement_update_item()` function. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in Clasifico Listing WordPress plugin <= 2.0.

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Tablesome Table - Contact Form DB - WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to 1.2.1. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. [CVSS 8.8 HIGH]

WordPress RCE CSRF +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Library Management System plugin for WordPress is vulnerable to SQL Injection via the 'bid' parameter in all versions up to, and including, 3.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]

WordPress SQLi PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the plugin not properly verifying that a user is authorized to perform file upload actions via the "ajax_checkout_attachment_upload" function. This makes it possible for unauthenticated attackers to upload files to the server, though file types are limited to WordPress's default allowed MIME types (i...

WordPress PHP
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 4.0 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Smartsupp - live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS AI / ML +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Printful Integration for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.11 via the advanced size chart REST API endpoint. This is due to insufficient validation of user-supplied URLs before passing them to the download_url() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application which can b...

WordPress SSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Mailchimp List Subscribe Form (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acf_photo_gallery_edit_save" function in all versions up to, and including, 3.0. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Mesmerize Companion plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the "openPageInCustomizer" and "openPageInDefaultEditor" functions in all versions up to, and including, 1.6.158. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. [CVSS 7.5 HIGH]

WordPress PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Aruba HiSpeed Cache (WordPress plugin) versions up to 3.0.2. is affected by missing authorization (CVSS 6.5).

WordPress PHP
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the dbstatus parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Booking Calendar plugin for WordPress through version 10.14.14 contains an insecure direct object reference in the handle_ajax_save function that fails to validate user-controlled input, allowing authenticated subscribers and above with booking permissions to modify other users' plugin settings and disrupt their booking calendar functionality. This vulnerability requires valid WordPress credentials but poses a direct threat to multi-user WordPress installations where booking functionality is delegated across accounts.

WordPress
NVD
EPSS 0% CVSS 8.8
HIGH This Week

PHP Object Injection in the Advanced AJAX Product Filters plugin for WordPress (versions up to 3.1.9.6) allows authenticated authors and above to deserialize malicious objects through the Live Composer compatibility layer. While the plugin itself lacks a gadget chain for exploitation, the vulnerability can enable arbitrary file deletion, data theft, or remote code execution if a POP chain exists in installed themes or plugins. No patch is currently available, and exploitation requires valid WordPress user credentials.

WordPress PHP Deserialization
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Ultimate Member WordPress plugin through version 2.11.1 contains a reflected XSS vulnerability in filter parameters that lack proper input sanitization and output escaping. Unauthenticated attackers can inject malicious scripts into pages by crafting malicious links and convincing users to click them. Successful exploitation results in arbitrary JavaScript execution in the context of the affected user's browser session.

WordPress XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Plus Addons for Elementor plugin for WordPress fails to validate post-type-specific permissions in its AJAX handler, allowing authenticated authors and above to create draft posts for restricted post types like pages and custom post types. An attacker with author-level access can bypass capability checks by directly specifying arbitrary post types, potentially enabling unauthorized content creation or manipulation of restricted content areas.

WordPress
NVD
EPSS 0% CVSS 3.7
LOW Monitor

The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison (==) instead of strict comparison (===). This makes it possible for unauthenticated attackers to bypass authentication using "magic hash" values when the expected MD5 hash prefix happens to be numeric-looking (matching pa...

WordPress PHP Authentication Bypass +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in the WP Import - Ultimate CSV Importer plugin for WordPress (versions up to 7.37) allows authenticated subscribers and higher-privileged users to inject malicious SQL commands through specially crafted filenames during file uploads. When the Single Import/Export feature is enabled on PHP versions below 8.0, attackers can extract sensitive database information by exploiting insufficient input validation. The vulnerability requires valid WordPress credentials but poses a medium risk due to its direct access to database contents.

WordPress PHP SQLi
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

The Bookster - WordPress Appointment Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘raw’ parameter in all versions up to, and including, 2.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 4.9 MEDIUM]

WordPress SQLi PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress is vulnerable to authorization bypass due to type juggling in all versions up to, and including, 3.3.0. This is due to the use of loose comparison (==) instead of strict comparison (===) when validating the installation ID in the `/wp-json/mailin/v1/mailin_disconnect` REST API endpoint. This makes it possible for unauthenticated attackers to disconnect the Brevo integration, delete the API key, remove all subscription form...

WordPress PHP
NVD
EPSS 3% CVSS 6.5
MEDIUM This Month

Arbitrary file deletion in WP-DownloadManager plugin versions up to 1.69 allows high-privileged WordPress administrators to bypass path validation and remove critical system files through directory traversal in the file deletion parameter. Deletion of essential files like wp-config.php can result in remote code execution or complete site compromise. No patch is currently available.

WordPress PHP RCE +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthorized post modification in Blog2Social plugin for WordPress versions up to 8.7.4 allows authenticated subscribers and higher-privileged users to alter arbitrary post and page content due to missing post-level permission checks in the curation draft AJAX handler. An attacker can exploit this by providing a target post ID to overwrite titles and content across the site without proper authorization.

WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The RegistrationMagic - Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to payment bypass due to insufficient verification of data authenticity on the 'process_paypal_sdk_payment' function in all versions up to, and including, 6.0.6.9. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can manipulate post category assignments in the WordPress User Submitted Posts plugin through missing authorization checks on user-supplied category IDs. This allows bypassing frontend category restrictions to assign posts to arbitrary or restricted categories via crafted POST requests. The vulnerability affects all versions up to 20260113 with no patch currently available.

WordPress
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

The Video Share VOD - Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Complianz - GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cmplz-accept-link shortcode in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can exploit SQL injection in the WPNakama WordPress plugin (versions up to 0.6.5) through the 'order' parameter in the REST API /wp-json/WPNakama/v1/boards endpoint due to insufficient input escaping. This allows unauthorized extraction of sensitive database information from any WordPress installation running the vulnerable plugin. No patch is currently available.

WordPress SQLi
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Arbitrary shortcode execution in the SiteOrigin Widgets Bundle plugin for WordPress affects authenticated users with Subscriber access and above due to missing capability checks in an AJAX preview function. Attackers can exploit this vulnerability to execute arbitrary shortcodes when the Post Carousel widget is present, as the required nonce is publicly exposed in the page HTML. No patch is currently available.

WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in WP Event Aggregator plugin through version 1.8.7 allows authenticated contributors and above to inject malicious scripts via the wp_events shortcode due to inadequate input sanitization. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially compromising user sessions and data. No patch is currently available, leaving affected WordPress installations vulnerable.

WordPress XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Business Directory (WordPress plugin) versions up to 6.4.20. is affected by missing authorization (CVSS 5.3).

WordPress
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in WordPress Community Events plugin through the 'ce_venue_name' parameter allows authenticated administrators to inject malicious scripts that execute for all users viewing affected pages. The vulnerability exists in versions up to 1.5.7 due to inadequate input sanitization and output escaping, with no patch currently available.

WordPress XSS
NVD
EPSS 0% CVSS 2.7
LOW Monitor

The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'download_path' configuration parameter. [CVSS 2.7 LOW]

WordPress Path Traversal
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthenticated attackers can delete all pending comments in WordPress sites running the Dam Spam plugin up to version 1.0.8 by exploiting missing CSRF protections, requiring only that an administrator be tricked into clicking a malicious link. An attacker with this capability can disrupt comment moderation workflows and potentially suppress legitimate user feedback. No patch is currently available for this vulnerability.

WordPress CSRF
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in YayMail plugin for WordPress (versions up to 4.3.2) allows authenticated Shop Manager-level users to inject malicious scripts through inadequately sanitized settings, affecting multi-site installations or those with disabled unfiltered_html. Attackers can execute arbitrary JavaScript in pages viewed by other users, though exploitation requires elevated privileges and specific WordPress configurations. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthorized license key deletion in the YayMail WooCommerce Email Customizer plugin (versions up to 4.3.2) stems from missing authorization checks on a REST API endpoint, allowing authenticated Shop Manager-level users to remove the plugin license if they can obtain the REST API nonce. This integrity violation affects WordPress installations running the vulnerable plugin and could disrupt email customization functionality.

WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Kali Forms WordPress plugin through version 2.4.8 allows authenticated contributors and higher-privileged users to read sensitive form data of other users via insecure direct object reference on the REST API, exposing form configurations, reCAPTCHA keys, email templates, and server paths. The vulnerability stems from insufficient permission validation that only checks for the generic `edit_posts` capability rather than verifying ownership of specific form resources. Attackers can exploit this through form ID enumeration without requiring any interaction or elevated privileges beyond basic authenticated access.

WordPress
NVD
EPSS 0% CVSS 2.7
LOW Monitor

YayMail - WooCommerce Email Customizer (WordPress plugin) is affected by missing authorization (CVSS 2.7).

WordPress
NVD
Prev Page 25 of 194 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy