Skip to main content

WordPress

17382 CVEs vendor

Monthly

CVE-2026-1655 MEDIUM This Month

Authenticated users can modify WordPress posts in the EventPrime plugin (versions up to 4.2.8.4) due to missing authorization validation in the event submission function, allowing customer-level attackers to alter administrator-created events by manipulating post identifiers if they possess a valid nonce. The vulnerability requires user authentication and does not enable unauthorized access but permits unauthorized modification of existing content.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2633 MEDIUM This Month

The Gutenberg Blocks with AI by Kadence WP plugin for WordPress fails to properly validate the upload_files capability in its AJAX image import function, allowing authenticated contributors to upload arbitrary images to the Media Library despite lacking file upload permissions. This authorization bypass affects all versions up to 3.6.1 and requires only basic user authentication with no user interaction. An attacker with contributor-level access can exploit this to upload malicious image files that could be leveraged for further attacks.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2296 HIGH This Week

Arbitrary PHP code execution in Product Addons for WooCommerce plugin (versions up to 3.1.0) through unsafe use of eval() on unsanitized conditional logic operators allows Shop Manager-level and higher-privileged WordPress users to execute malicious code on affected servers. The vulnerability stems from insufficient input validation in the evalConditions() function where user-supplied operator parameters are passed directly to PHP's eval() without sanitization. No patch is currently available.

WordPress PHP Code Injection
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-2281 MEDIUM This Month

Stored XSS in WordPress Private Comment plugin up to version 0.0.4 allows authenticated administrators to inject malicious scripts via the label text setting due to inadequate input sanitization and output escaping. The injected scripts execute in the browsers of users viewing affected pages, impacting multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2019 HIGH This Week

Cart All In One For WooCommerce (WordPress plugin) versions up to 1.1.21. contains a security vulnerability (CVSS 7.2).

WordPress PHP Code Injection
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-1937 HIGH This Week

Unauthorized data modification in YayMail WooCommerce Email Customizer WordPress plugin allows unauthenticated attackers to modify email templates, potentially enabling phishing attacks against customers.

WordPress Privilege Escalation Authentication Bypass
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-1857 MEDIUM This Month

Insufficient input validation in the Gutenberg Blocks with AI by Kadence WP plugin allows authenticated contributors and above to perform server-side request forgery against GetResponse API endpoints, potentially exposing sensitive data like contacts and campaigns stored on the site. The vulnerability stems from overly permissive access controls that grant the dangerous `endpoint` parameter manipulation to users with only Contributor-level privileges instead of requiring administrator access. Attackers can also extract the site's stored GetResponse API credentials from request headers during exploitation.

WordPress SSRF AI / ML
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1807 MEDIUM This Month

InteractiveCalculator for WordPress (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1666 MEDIUM This Month

The Download Manager plugin for WordPress through version 3.3.46 contains a reflected XSS vulnerability in the 'redirect_to' parameter that allows unauthenticated attackers to inject malicious scripts. An attacker can exploit this by crafting a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1640 MEDIUM This Month

The Taskbuilder WordPress plugin through version 5.0.2 fails to properly authorize AJAX comment submission functions, allowing authenticated subscribers to post comments on any project or task regardless of access permissions. Attackers can exploit this to comment on private projects they cannot view and inject malicious HTML/CSS through unsanitized input parameters.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2023 MEDIUM This Month

The WP Plugin Info Card plugin for WordPress versions up to 6.2.0 contains a cross-site request forgery vulnerability in its AJAX handler due to disabled nonce validation, allowing unauthenticated attackers to create or modify custom plugin entries if a site administrator can be tricked into clicking a malicious link. An attacker could leverage this to inject arbitrary plugin configurations that could be used for further compromise of the WordPress installation. No patch is currently available.

WordPress CSRF
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1906 MEDIUM This Month

Authenticated attackers with Subscriber-level or higher access to WordPress sites running PDF Invoices & Packing Slips for WooCommerce through version 5.6.0 can modify Peppol/EDI endpoint identifiers for arbitrary orders due to missing authorization checks in the plugin's AJAX handler. This allows attackers to redirect invoices to different endpoints, potentially disrupting payment processing and exposing sensitive customer data. No patch is currently available.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1639 MEDIUM This Month

SQL injection in the Taskbuilder WordPress plugin through unescaped 'order' and 'sort_by' parameters allows authenticated users with subscriber-level privileges to extract sensitive database information via time-based blind SQL injection attacks. The vulnerability affects all versions up to 5.0.2 and has no available patch. Attackers can craft malicious queries to systematically retrieve confidential data from the WordPress database.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1368 HIGH POC This Week

Video Conferencing with Zoom WordPre versions up to 4.6.6 is affected by improper authentication (CVSS 7.5).

WordPress Zoom
NVD WPScan
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1304 MEDIUM This Month

Stored Cross-Site Scripting in the Membership Plugin for WordPress versions up to 3.2.18 allows authenticated administrators to inject malicious scripts into invoice settings fields due to inadequate input sanitization. When other users access pages containing the injected code, the scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. Exploitation requires administrator-level access and no patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-1072 MEDIUM This Month

Keybase.io Verification (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12356 MEDIUM This Month

The Tickera - Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to, and including, 3.5.6.4. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12122 MEDIUM This Month

The Popup Box - Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-11737 MEDIUM This Month

VK All in One Expansion Unit (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-2576 HIGH This Week

Unauthenticated attackers can exploit time-based SQL injection in the Business Directory Plugin for WordPress (versions up to 6.4.2) through an unescaped 'payment' parameter to extract sensitive database information. The vulnerability stems from insufficient input validation and improper query preparation, allowing attackers to append arbitrary SQL commands to existing queries without authentication. No patch is currently available.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-1931 HIGH This Week

Stored cross-site scripting in the Rent Fetch WordPress plugin through version 0.32.4 allows unauthenticated attackers to inject malicious scripts via inadequately sanitized keyword parameters. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.

WordPress XSS
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-1925 MEDIUM This Month

The EmailKit - Email Customizer for WooCommerce & WP plugin through version 1.6.2 fails to properly validate user permissions on the template update function, allowing any authenticated user with Subscriber-level access or higher to modify post titles across the WordPress site. This capability check bypass affects all post types including standard posts, pages, and custom post types, enabling unauthorized content manipulation by low-privileged attackers. No patch is currently available.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1714 HIGH This Week

Unauthenticated attackers can abuse the ShopLentor plugin for WordPress (versions up to 3.3.2) to send arbitrary emails through affected websites due to insufficient input validation in an AJAX endpoint, allowing them to conduct spam and phishing campaigns with full control over recipient addresses, subject lines, and message content. The vulnerability requires no user interaction and affects all installations of the vulnerable plugin. No patch is currently available.

WordPress
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-1296 MEDIUM POC This Month

Frontend Post Submission Manager Lite (WordPress plugin) versions up to 1.2.7 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).

WordPress Open Redirect
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1277 MEDIUM POC This Month

URL Shortify (WordPress plugin) versions up to 1.12.1 is affected by url redirection to untrusted site (open redirect) (CVSS 4.7).

WordPress Open Redirect
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-6460 MEDIUM This Month

Display During Conditional Shortcode (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13959 MEDIUM This Month

The Filestack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'filepicker' shortcode in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12075 MEDIUM This Month

The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wos_troubleshooting' AJAX endpoint in all versions up to, and including, 5.3.5. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12074 MEDIUM This Month

The Context Blog theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.5 via the 'context_blog_modal_popup' due to insufficient restrictions on which posts can be included. [CVSS 5.3 MEDIUM]

WordPress Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-12071 MEDIUM This Month

Frontend User Notes (WordPress plugin) versions up to 2.1.0 is affected by authorization bypass through user-controlled key (CVSS 4.3).

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12037 MEDIUM This Month

WP 404 Auto Redirect to Similar Post (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2608 MEDIUM This Month

Page Builder Toolkit for Gutenberg Editor versions up to 3.5.32. is affected by missing authorization (CVSS 4.3).

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1216 HIGH This Week

Reflected XSS in WordPress RSS Aggregator plugin versions up to 5.0.10 allows unauthenticated attackers to inject malicious scripts through the unvalidated 'template' parameter. An attacker can exploit this by crafting a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-0829 MEDIUM POC This Month

Frontend File Manager Plugin WordPre versions up to 23.5 is affected by missing authorization (CVSS 5.8).

WordPress
NVD WPScan
CVSS 3.1
5.8
EPSS
2.4%
CVE-2026-1657 MEDIUM This Month

Unauthenticated attackers can upload arbitrary image files to WordPress sites running EventPrime plugin versions up to 4.2.8.4 through an unprotected AJAX endpoint that lacks proper authentication checks. This vulnerability allows unauthorized file uploads to the media library, potentially enabling further attacks such as stored XSS or malicious file distribution. No patch is currently available.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-2592 HIGH This Week

Unauthenticated attackers can mark WooCommerce orders as paid in the Zarinpal Gateway plugin (versions up to 5.0.16) by reusing valid payment tokens from other transactions, exploiting insufficient validation of callback handlers. This allows fraudulent order fulfillment without actual payment completion. No patch is currently available and the vulnerability affects all WordPress installations using this payment gateway plugin.

WordPress
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-2002 MEDIUM This Month

Stored XSS in Forminator Forms plugin for WordPress (versions up to 1.50.2) allows authenticated administrators and delegated form managers to inject malicious scripts through the form_name parameter due to inadequate input sanitization. When users access pages containing injected forms, the scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-12062 HIGH This Week

The WP Maps - Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. [CVSS 8.8 HIGH]

WordPress PHP LFI
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-2001 HIGH This Week

Arbitrary plugin installation in WowRevenue for WordPress (versions up to 2.1.3) allows authenticated subscribers to bypass capability checks and install malicious plugins, potentially enabling remote code execution on vulnerable sites. The vulnerability requires only low-privilege user access and network connectivity, affecting WordPress instances running the vulnerable plugin without an available patch.

WordPress RCE
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-0929 MEDIUM This Month

Insufficient capability checks in RegistrationMagic WordPress plugin versions before 6.0.7.2 allow subscriber-level users and above to create forms, enabling unauthorized form creation and potential site manipulation. This vulnerability affects WordPress sites running the affected plugin versions, with no patch currently available. The impact is limited to form creation without affecting confidentiality or system availability.

WordPress
NVD WPScan
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1793 MEDIUM This Month

Element Pack Addons for Elementor (WordPress plugin) versions up to 8.3.17 is affected by path traversal (CVSS 6.5).

WordPress
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-1750 HIGH This Week

Ecwid by Lightspeed Ecommerce Shopping Cart (WordPress plugin) versions up to 7.0.7. is affected by improper privilege management (CVSS 8.8).

WordPress Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-1490 CRITICAL Act Now

CleanTalk Anti-Spam WordPress plugin has an authorization bypass enabling unauthenticated attackers to perform file operations on the WordPress server.

WordPress DNS RCE
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-2312 MEDIUM This Month

Authenticated users with Author-level privileges in WordPress Media Library Folders plugin (versions up to 8.3.6) can delete or rename arbitrary attachments belonging to other users through insufficient validation in the delete_maxgalleria_media() and maxgalleria_rename_image() functions. The rename operation also destroys all postmeta associated with target attachments, resulting in permanent data loss. No patch is currently available.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1512 MEDIUM This Month

Stored XSS in Essential Addons for Elementor plugin (versions up to 6.5.9) allows authenticated contributors to inject malicious scripts into pages through the Info Box widget due to inadequate input sanitization. The injected scripts execute for all users viewing the affected pages, potentially leading to credential theft or malware distribution. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1843 HIGH This Week

Stored cross-site scripting in Super Page Cache for WordPress (versions up to 5.2.2) allows unauthenticated attackers to inject malicious scripts through the Activity Log due to inadequate input sanitization. The injected scripts execute in the browsers of any user viewing affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-1258 MEDIUM This Month

SQL injection in Mail Mint plugin for WordPress (versions up to 1.19.2) allows authenticated administrators to execute arbitrary SQL queries through improperly sanitized parameters in multiple API endpoints. An attacker with admin-level access could exploit insufficient input escaping on 'order-by', 'order-type', and 'selectedCourses' parameters to extract sensitive data from the WordPress database. No patch is currently available for this vulnerability.

WordPress SQLi
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-1254 MEDIUM This Month

The Modula Image Gallery plugin for WordPress through version 2.13.6 fails to properly validate REST API permissions, allowing authenticated contributors and higher-privileged users to modify arbitrary post content by manipulating post IDs in API requests. Attackers can update titles, excerpts, and body content of posts they do not own, potentially leading to unauthorized content modification or injection attacks. No patch is currently available for this vulnerability.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1249 MEDIUM This Month

The MP3 Audio Player plugin for WordPress versions 5.3-5.10 contains a server-side request forgery vulnerability in the lyrics loading function that allows authenticated users with author privileges to initiate arbitrary web requests from the affected server. This capability enables attackers to interact with internal services and potentially access or modify sensitive data on systems reachable from the web application.

WordPress SSRF
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-0550 MEDIUM This Month

The myCred WordPress plugin through version 2.9.7.3 contains a stored cross-site scripting vulnerability in the 'mycred_load_coupon' shortcode that allows authenticated contributors and above to inject malicious scripts into pages through inadequately sanitized shortcode attributes. When site visitors access pages containing the injected payload, the attacker's script executes in their browsers, potentially compromising user sessions and sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-8572 CRITICAL Act Now

Privilege escalation in Truelysell Core WordPress plugin <= 1.8.7. Insufficient role validation allows elevation.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-2024 HIGH This Week

Unauthenticated attackers can exploit SQL injection in the PhotoStack Gallery plugin for WordPress (versions up to 0.4.1) through the unescaped 'postid' parameter to extract sensitive database information. The vulnerability stems from insufficient input validation and unprepared SQL queries, allowing attackers to inject arbitrary SQL commands without authentication. With no patch currently available, all WordPress installations using this plugin are at risk of data exposure.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2022 MEDIUM This Month

WordPress Smart Forms plugin through version 2.6.99 fails to validate user permissions on the 'rednao_smart_forms_get_campaigns' AJAX action, allowing authenticated subscribers and higher-privileged users to retrieve sensitive donation campaign data. An attacker with basic WordPress account access can enumerate campaign IDs and names without proper authorization. A patch is not currently available for this vulnerability.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1988 HIGH This Week

Arbitrary PHP code execution in the Flexi Product Slider and Grid for WooCommerce WordPress plugin through version 1.0.5 allows authenticated contributors to exploit unsanitized file path parameters in the flexipsg_carousel shortcode to include and execute arbitrary files on the server. The vulnerability requires an attacker with Contributor-level access or above to create posts containing malicious shortcodes, but carries high risk due to lack of input validation on the theme parameter enabling local file inclusion attacks. No patch is currently available for this vulnerability.

WordPress PHP LFI Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-1987 MEDIUM This Month

Scheduler Widget (WordPress plugin) versions up to 0.1.6. is affected by authorization bypass through user-controlled key (CVSS 5.4).

WordPress
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1985 MEDIUM This Month

Stored XSS in WordPress Press3D plugin (versions up to 1.0.2) allows authenticated authors to inject malicious JavaScript through unsanitized URL schemes in 3D model blocks, executing arbitrary scripts when users interact with affected content. The vulnerability requires author-level access or higher and impacts all installations of the vulnerable plugin versions without available patches.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1944 MEDIUM This Month

Unauthenticated attackers can modify the CallbackKiller service widget plugin's site ID settings in WordPress versions up to 1.2 due to missing capability checks in the AJAX handler, allowing unauthorized data manipulation without authentication. The vulnerability requires no user interaction and can be exploited remotely, though no patch is currently available.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-1939 MEDIUM This Month

Stored XSS in the Percent to Infograph WordPress plugin (versions up to 1.0) allows authenticated users with contributor-level or higher privileges to inject malicious scripts through the percent_to_graph shortcode due to inadequate input sanitization. When pages containing the injected payload are accessed by other users, the malicious scripts execute in their browsers, potentially compromising site security and user data.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1915 MEDIUM This Month

Stored cross-site scripting in the Simple Plyr WordPress plugin through version 0.0.1 allows authenticated users with Contributor access or higher to inject malicious scripts via the 'poster' parameter in the plyr shortcode due to inadequate input validation. When victims visit pages containing the injected payload, the attacker's scripts execute in their browsers, enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1910 MEDIUM This Month

Stored cross-site scripting in the UpMenu WordPress plugin through version 3.1 allows authenticated contributors and above to inject malicious scripts via the 'lang' shortcode attribute due to inadequate input sanitization and output escaping. When victims visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1905 MEDIUM This Month

Stored cross-site scripting in WordPress Sphere Manager plugin through version 1.0.2 allows authenticated users with Contributor privileges or higher to inject malicious scripts via the 'width' parameter in shortcodes due to improper input sanitization. Injected scripts execute in the browsers of any user viewing the affected page, potentially compromising site visitors. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1903 MEDIUM This Month

Stored XSS in the Ravelry Designs Widget WordPress plugin through version 1.0.0 allows authenticated contributors to inject malicious scripts into page shortcodes due to inadequate input sanitization. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. An active patch is not currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1901 MEDIUM This Month

Authenticated attackers with Contributor access or higher can inject malicious scripts into WordPress pages via the QuestionPro Surveys plugin's 'questionpro' shortcode, exploiting inadequate input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available for versions up to 1.0.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1796 MEDIUM This Month

The StyleBidet WordPress plugin through version 1.0.0 fails to properly sanitize URL path parameters, enabling unauthenticated attackers to inject malicious scripts that execute in victim browsers. An attacker can exploit this reflected XSS vulnerability by crafting a malicious link and tricking users into clicking it, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1795 MEDIUM This Month

The Address Bar Ads plugin for WordPress versions up to 1.0.0 contains a reflected cross-site scripting vulnerability in the URL path due to inadequate input sanitization, allowing unauthenticated attackers to inject malicious scripts that execute when users click on crafted links. This attack requires user interaction and affects the confidentiality and integrity of affected sites. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1792 MEDIUM This Month

Stored XSS in the Geo Widget WordPress plugin through version 1.0 allows unauthenticated attackers to inject malicious scripts via insufficiently sanitized URL parameters that execute when users visit affected pages. The vulnerability requires user interaction to trigger but impacts all site visitors who access injected content. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1394 MEDIUM This Month

The WP Quick Contact Us plugin for WordPress through version 1.0 lacks proper nonce validation in its settings update function, enabling unauthenticated attackers to modify plugin configuration through cross-site request forgery if a site administrator can be tricked into clicking a malicious link. This could allow attackers to alter plugin behavior and potentially compromise site functionality without direct authentication.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1306 CRITICAL POC Act Now

Arbitrary file upload in midi-Synth WordPress plugin via 'export' AJAX action.

WordPress RCE File Upload
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-1303 MEDIUM This Month

The MailChimp Campaigns WordPress plugin through version 3.2.4 lacks proper authorization checks on an AJAX function, allowing authenticated subscribers to disconnect the site's MailChimp integration. This capability bypass enables low-privileged users to disrupt automated email campaigns and marketing workflows. No patch is currently available.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1187 MEDIUM This Month

Stored cross-site scripting in the ZoomifyWP Free WordPress plugin through version 1.1 allows authenticated contributors and higher to inject malicious scripts via the filename parameter in the zoomify shortcode due to inadequate input sanitization. When other users visit pages containing the injected code, the scripts execute in their browsers, potentially compromising their sessions or data. No patch is currently available for this vulnerability.

WordPress Zoom XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1096 MEDIUM This Month

Stored XSS in the Best-wp-google-map WordPress plugin through versions 2.1 allows authenticated contributors and above to inject malicious scripts via insufficiently sanitized latitude and longitude shortcode parameters. When other users view pages containing the injected shortcode, the attacker's scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0753 HIGH This Week

Reflected XSS in the Super Simple Contact Form WordPress plugin through version 1.6.2 allows unauthenticated attackers to inject malicious scripts via the 'sscf_name' parameter due to inadequate input sanitization. An attacker can exploit this by tricking users into clicking a crafted link, causing arbitrary JavaScript to execute in their browsers and potentially leading to session hijacking or credential theft. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-0751 MEDIUM This Month

Stored XSS in the Payment Page | Payment Form for Stripe WordPress plugin (versions up to 1.4.6) allows authenticated users with Author-level permissions or higher to inject malicious scripts through the 'pricing_plan_select_text_font_family' parameter due to insufficient input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0745 MEDIUM This Month

User Language Switch (WordPress plugin) is affected by server-side request forgery (ssrf) (CVSS 7.2).

WordPress SSRF
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-0736 MEDIUM This Month

Chatbot for WordPress by Collect.chat (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0735 MEDIUM This Month

Stored XSS in the WordPress User Language Switch plugin through the 'tab_color_picker_language_switch' parameter allows authenticated administrators to inject malicious scripts on multi-site installations or when unfiltered_html is disabled. The injected scripts execute in the context of other users accessing affected pages. This vulnerability affects all versions up to 1.6.10, with no patch currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0727 MEDIUM This Month

Authenticated attackers with contributor-level access to WordPress sites can bypass authorization checks in the Accordion and Accordion Slider plugin (versions up to 1.4.5) to read and modify attachment metadata across the entire site. The vulnerability exists in improper permission validation within the attachment data handling functions, allowing unauthorized access to file paths, titles, captions, alt text, and custom links. No patch is currently available.

WordPress
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-0693 MEDIUM This Month

Allow HTML in Category Descriptions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0559 MEDIUM This Month

Stored cross-site scripting in MasterStudy LMS WordPress Plugin versions up to 3.7.11 allows authenticated contributors and above to inject malicious scripts through the 'stm_lms_courses_grid_display' shortcode due to insufficient input sanitization and output escaping. When users access pages containing the injected payload, the arbitrary scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0557 MEDIUM This Month

Stored XSS in WordPress WP Data Access plugin versions up to 5.5.63 allows authenticated contributors and higher to inject malicious scripts into pages via the 'wpda_app' shortcode due to inadequate input sanitization. The injected scripts execute in the browsers of users viewing the affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-6792 MEDIUM This Month

One to one user Chat by WPGuppy (WordPress plugin) is affected by missing authentication for critical function (CVSS 5.3).

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-15483 MEDIUM This Month

The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-14873 MEDIUM This Month

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14852 MEDIUM This Month

The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. [CVSS 4.3 MEDIUM]

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1932 MEDIUM This Month

Unauthenticated attackers can modify appointment statuses in the Bookr WordPress plugin (versions up to 1.0.2) due to a missing capability check on the REST API endpoint. This allows unauthorized data manipulation without authentication or user interaction. No patch is currently available for this vulnerability.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2144 HIGH This Week

Privilege escalation in the Magic Login Mail or QR Code WordPress plugin (versions up to 2.05) allows unauthenticated attackers to hijack any user account, including administrator accounts, by exploiting a race condition in QR code file handling. The plugin creates QR code login images with predictable filenames in the public uploads directory and fails to delete them immediately after email transmission, enabling attackers to intercept the encoded login URLs. An attacker can trigger login requests for arbitrary users and extract valid authentication tokens during the window before file cleanup occurs.

WordPress Privilege Escalation Authentication Bypass
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-2027 MEDIUM This Month

AMP Enhancer plugin for WordPress versions up to 1.0.49 allows authenticated administrators to inject stored XSS payloads through the Custom CSS setting due to insufficient input sanitization, affecting multi-site installations and those with unfiltered_html disabled. An attacker with admin-level access can execute arbitrary JavaScript in the context of user browsers visiting affected pages. A security patch is not yet available.

WordPress XSS
NVD GitHub
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1983 MEDIUM This Month

Unauthorized event deletion in the WordPress SEATT plugin through version 1.5.0 stems from inadequate CSRF protections on the event removal function. An attacker can trick site administrators into clicking a malicious link to remove arbitrary events without authentication. No patch is currently available for this vulnerability.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1912 MEDIUM This Month

Stored XSS in the Citations tools WordPress plugin (versions up to 0.3.2) allows authenticated contributors and above to inject malicious scripts through insufficiently sanitized shortcode parameters, which execute in the browsers of users viewing affected pages. The vulnerability requires authentication but affects all site visitors who access pages containing the injected code. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1904 MEDIUM This Month

Simple Wp colorfull Accordion (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
EPSS 0% CVSS 4.3
MEDIUM This Month

Authenticated users can modify WordPress posts in the EventPrime plugin (versions up to 4.2.8.4) due to missing authorization validation in the event submission function, allowing customer-level attackers to alter administrator-created events by manipulating post identifiers if they possess a valid nonce. The vulnerability requires user authentication and does not enable unauthorized access but permits unauthorized modification of existing content.

WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Gutenberg Blocks with AI by Kadence WP plugin for WordPress fails to properly validate the upload_files capability in its AJAX image import function, allowing authenticated contributors to upload arbitrary images to the Media Library despite lacking file upload permissions. This authorization bypass affects all versions up to 3.6.1 and requires only basic user authentication with no user interaction. An attacker with contributor-level access can exploit this to upload malicious image files that could be leveraged for further attacks.

WordPress
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Arbitrary PHP code execution in Product Addons for WooCommerce plugin (versions up to 3.1.0) through unsafe use of eval() on unsanitized conditional logic operators allows Shop Manager-level and higher-privileged WordPress users to execute malicious code on affected servers. The vulnerability stems from insufficient input validation in the evalConditions() function where user-supplied operator parameters are passed directly to PHP's eval() without sanitization. No patch is currently available.

WordPress PHP Code Injection
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in WordPress Private Comment plugin up to version 0.0.4 allows authenticated administrators to inject malicious scripts via the label text setting due to inadequate input sanitization and output escaping. The injected scripts execute in the browsers of users viewing affected pages, impacting multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Cart All In One For WooCommerce (WordPress plugin) versions up to 1.1.21. contains a security vulnerability (CVSS 7.2).

WordPress PHP Code Injection
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Unauthorized data modification in YayMail WooCommerce Email Customizer WordPress plugin allows unauthenticated attackers to modify email templates, potentially enabling phishing attacks against customers.

WordPress Privilege Escalation Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Insufficient input validation in the Gutenberg Blocks with AI by Kadence WP plugin allows authenticated contributors and above to perform server-side request forgery against GetResponse API endpoints, potentially exposing sensitive data like contacts and campaigns stored on the site. The vulnerability stems from overly permissive access controls that grant the dangerous `endpoint` parameter manipulation to users with only Contributor-level privileges instead of requiring administrator access. Attackers can also extract the site's stored GetResponse API credentials from request headers during exploitation.

WordPress SSRF AI / ML
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

InteractiveCalculator for WordPress (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Download Manager plugin for WordPress through version 3.3.46 contains a reflected XSS vulnerability in the 'redirect_to' parameter that allows unauthenticated attackers to inject malicious scripts. An attacker can exploit this by crafting a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Taskbuilder WordPress plugin through version 5.0.2 fails to properly authorize AJAX comment submission functions, allowing authenticated subscribers to post comments on any project or task regardless of access permissions. Attackers can exploit this to comment on private projects they cannot view and inject malicious HTML/CSS through unsanitized input parameters.

WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The WP Plugin Info Card plugin for WordPress versions up to 6.2.0 contains a cross-site request forgery vulnerability in its AJAX handler due to disabled nonce validation, allowing unauthenticated attackers to create or modify custom plugin entries if a site administrator can be tricked into clicking a malicious link. An attacker could leverage this to inject arbitrary plugin configurations that could be used for further compromise of the WordPress installation. No patch is currently available.

WordPress CSRF
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Authenticated attackers with Subscriber-level or higher access to WordPress sites running PDF Invoices & Packing Slips for WooCommerce through version 5.6.0 can modify Peppol/EDI endpoint identifiers for arbitrary orders due to missing authorization checks in the plugin's AJAX handler. This allows attackers to redirect invoices to different endpoints, potentially disrupting payment processing and exposing sensitive customer data. No patch is currently available.

WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in the Taskbuilder WordPress plugin through unescaped 'order' and 'sort_by' parameters allows authenticated users with subscriber-level privileges to extract sensitive database information via time-based blind SQL injection attacks. The vulnerability affects all versions up to 5.0.2 and has no available patch. Attackers can craft malicious queries to systematically retrieve confidential data from the WordPress database.

WordPress SQLi
NVD
EPSS 0% CVSS 7.5
HIGH POC This Week

Video Conferencing with Zoom WordPre versions up to 4.6.6 is affected by improper authentication (CVSS 7.5).

WordPress Zoom
NVD WPScan
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Membership Plugin for WordPress versions up to 3.2.18 allows authenticated administrators to inject malicious scripts into invoice settings fields due to inadequate input sanitization. When other users access pages containing the injected code, the scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. Exploitation requires administrator-level access and no patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Keybase.io Verification (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Tickera - Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to, and including, 3.5.6.4. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Popup Box - Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

VK All in One Expansion Unit (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can exploit time-based SQL injection in the Business Directory Plugin for WordPress (versions up to 6.4.2) through an unescaped 'payment' parameter to extract sensitive database information. The vulnerability stems from insufficient input validation and improper query preparation, allowing attackers to append arbitrary SQL commands to existing queries without authentication. No patch is currently available.

WordPress SQLi
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Rent Fetch WordPress plugin through version 0.32.4 allows unauthenticated attackers to inject malicious scripts via inadequately sanitized keyword parameters. When site visitors access pages containing the injected payload, the scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.

WordPress XSS
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

The EmailKit - Email Customizer for WooCommerce & WP plugin through version 1.6.2 fails to properly validate user permissions on the template update function, allowing any authenticated user with Subscriber-level access or higher to modify post titles across the WordPress site. This capability check bypass affects all post types including standard posts, pages, and custom post types, enabling unauthorized content manipulation by low-privileged attackers. No patch is currently available.

WordPress
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Unauthenticated attackers can abuse the ShopLentor plugin for WordPress (versions up to 3.3.2) to send arbitrary emails through affected websites due to insufficient input validation in an AJAX endpoint, allowing them to conduct spam and phishing campaigns with full control over recipient addresses, subject lines, and message content. The vulnerability requires no user interaction and affects all installations of the vulnerable plugin. No patch is currently available.

WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Frontend Post Submission Manager Lite (WordPress plugin) versions up to 1.2.7 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).

WordPress Open Redirect
NVD
EPSS 0% CVSS 4.7
MEDIUM POC This Month

URL Shortify (WordPress plugin) versions up to 1.12.1 is affected by url redirection to untrusted site (open redirect) (CVSS 4.7).

WordPress Open Redirect
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Display During Conditional Shortcode (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Filestack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'filepicker' shortcode in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wos_troubleshooting' AJAX endpoint in all versions up to, and including, 5.3.5. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Context Blog theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.5 via the 'context_blog_modal_popup' due to insufficient restrictions on which posts can be included. [CVSS 5.3 MEDIUM]

WordPress Information Disclosure PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Frontend User Notes (WordPress plugin) versions up to 2.1.0 is affected by authorization bypass through user-controlled key (CVSS 4.3).

WordPress PHP
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

WP 404 Auto Redirect to Similar Post (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Page Builder Toolkit for Gutenberg Editor versions up to 3.5.32. is affected by missing authorization (CVSS 4.3).

WordPress
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Reflected XSS in WordPress RSS Aggregator plugin versions up to 5.0.10 allows unauthenticated attackers to inject malicious scripts through the unvalidated 'template' parameter. An attacker can exploit this by crafting a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 2% CVSS 5.8
MEDIUM POC This Month

Frontend File Manager Plugin WordPre versions up to 23.5 is affected by missing authorization (CVSS 5.8).

WordPress
NVD WPScan
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can upload arbitrary image files to WordPress sites running EventPrime plugin versions up to 4.2.8.4 through an unprotected AJAX endpoint that lacks proper authentication checks. This vulnerability allows unauthorized file uploads to the media library, potentially enabling further attacks such as stored XSS or malicious file distribution. No patch is currently available.

WordPress
NVD
EPSS 0% CVSS 7.7
HIGH This Week

Unauthenticated attackers can mark WooCommerce orders as paid in the Zarinpal Gateway plugin (versions up to 5.0.16) by reusing valid payment tokens from other transactions, exploiting insufficient validation of callback handlers. This allows fraudulent order fulfillment without actual payment completion. No patch is currently available and the vulnerability affects all WordPress installations using this payment gateway plugin.

WordPress
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in Forminator Forms plugin for WordPress (versions up to 1.50.2) allows authenticated administrators and delegated form managers to inject malicious scripts through the form_name parameter due to inadequate input sanitization. When users access pages containing injected forms, the scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The WP Maps - Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. [CVSS 8.8 HIGH]

WordPress PHP LFI
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary plugin installation in WowRevenue for WordPress (versions up to 2.1.3) allows authenticated subscribers to bypass capability checks and install malicious plugins, potentially enabling remote code execution on vulnerable sites. The vulnerability requires only low-privilege user access and network connectivity, affecting WordPress instances running the vulnerable plugin without an available patch.

WordPress RCE
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Insufficient capability checks in RegistrationMagic WordPress plugin versions before 6.0.7.2 allow subscriber-level users and above to create forms, enabling unauthorized form creation and potential site manipulation. This vulnerability affects WordPress sites running the affected plugin versions, with no patch currently available. The impact is limited to form creation without affecting confidentiality or system availability.

WordPress
NVD WPScan
EPSS 0% CVSS 6.5
MEDIUM This Month

Element Pack Addons for Elementor (WordPress plugin) versions up to 8.3.17 is affected by path traversal (CVSS 6.5).

WordPress
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Ecwid by Lightspeed Ecommerce Shopping Cart (WordPress plugin) versions up to 7.0.7. is affected by improper privilege management (CVSS 8.8).

WordPress Privilege Escalation
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

CleanTalk Anti-Spam WordPress plugin has an authorization bypass enabling unauthenticated attackers to perform file operations on the WordPress server.

WordPress DNS RCE
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authenticated users with Author-level privileges in WordPress Media Library Folders plugin (versions up to 8.3.6) can delete or rename arbitrary attachments belonging to other users through insufficient validation in the delete_maxgalleria_media() and maxgalleria_rename_image() functions. The rename operation also destroys all postmeta associated with target attachments, resulting in permanent data loss. No patch is currently available.

WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in Essential Addons for Elementor plugin (versions up to 6.5.9) allows authenticated contributors to inject malicious scripts into pages through the Info Box widget due to inadequate input sanitization. The injected scripts execute for all users viewing the affected pages, potentially leading to credential theft or malware distribution. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in Super Page Cache for WordPress (versions up to 5.2.2) allows unauthenticated attackers to inject malicious scripts through the Activity Log due to inadequate input sanitization. The injected scripts execute in the browsers of any user viewing affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL injection in Mail Mint plugin for WordPress (versions up to 1.19.2) allows authenticated administrators to execute arbitrary SQL queries through improperly sanitized parameters in multiple API endpoints. An attacker with admin-level access could exploit insufficient input escaping on 'order-by', 'order-type', and 'selectedCourses' parameters to extract sensitive data from the WordPress database. No patch is currently available for this vulnerability.

WordPress SQLi
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Modula Image Gallery plugin for WordPress through version 2.13.6 fails to properly validate REST API permissions, allowing authenticated contributors and higher-privileged users to modify arbitrary post content by manipulating post IDs in API requests. Attackers can update titles, excerpts, and body content of posts they do not own, potentially leading to unauthorized content modification or injection attacks. No patch is currently available for this vulnerability.

WordPress
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

The MP3 Audio Player plugin for WordPress versions 5.3-5.10 contains a server-side request forgery vulnerability in the lyrics loading function that allows authenticated users with author privileges to initiate arbitrary web requests from the affected server. This capability enables attackers to interact with internal services and potentially access or modify sensitive data on systems reachable from the web application.

WordPress SSRF
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The myCred WordPress plugin through version 2.9.7.3 contains a stored cross-site scripting vulnerability in the 'mycred_load_coupon' shortcode that allows authenticated contributors and above to inject malicious scripts into pages through inadequately sanitized shortcode attributes. When site visitors access pages containing the injected payload, the attacker's script executes in their browsers, potentially compromising user sessions and sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in Truelysell Core WordPress plugin <= 1.8.7. Insufficient role validation allows elevation.

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can exploit SQL injection in the PhotoStack Gallery plugin for WordPress (versions up to 0.4.1) through the unescaped 'postid' parameter to extract sensitive database information. The vulnerability stems from insufficient input validation and unprepared SQL queries, allowing attackers to inject arbitrary SQL commands without authentication. With no patch currently available, all WordPress installations using this plugin are at risk of data exposure.

WordPress SQLi
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

WordPress Smart Forms plugin through version 2.6.99 fails to validate user permissions on the 'rednao_smart_forms_get_campaigns' AJAX action, allowing authenticated subscribers and higher-privileged users to retrieve sensitive donation campaign data. An attacker with basic WordPress account access can enumerate campaign IDs and names without proper authorization. A patch is not currently available for this vulnerability.

WordPress
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary PHP code execution in the Flexi Product Slider and Grid for WooCommerce WordPress plugin through version 1.0.5 allows authenticated contributors to exploit unsanitized file path parameters in the flexipsg_carousel shortcode to include and execute arbitrary files on the server. The vulnerability requires an attacker with Contributor-level access or above to create posts containing malicious shortcodes, but carries high risk due to lack of input validation on the theme parameter enabling local file inclusion attacks. No patch is currently available for this vulnerability.

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Scheduler Widget (WordPress plugin) versions up to 0.1.6. is affected by authorization bypass through user-controlled key (CVSS 5.4).

WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WordPress Press3D plugin (versions up to 1.0.2) allows authenticated authors to inject malicious JavaScript through unsanitized URL schemes in 3D model blocks, executing arbitrary scripts when users interact with affected content. The vulnerability requires author-level access or higher and impacts all installations of the vulnerable plugin versions without available patches.

WordPress XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can modify the CallbackKiller service widget plugin's site ID settings in WordPress versions up to 1.2 due to missing capability checks in the AJAX handler, allowing unauthorized data manipulation without authentication. The vulnerability requires no user interaction and can be exploited remotely, though no patch is currently available.

WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Percent to Infograph WordPress plugin (versions up to 1.0) allows authenticated users with contributor-level or higher privileges to inject malicious scripts through the percent_to_graph shortcode due to inadequate input sanitization. When pages containing the injected payload are accessed by other users, the malicious scripts execute in their browsers, potentially compromising site security and user data.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Simple Plyr WordPress plugin through version 0.0.1 allows authenticated users with Contributor access or higher to inject malicious scripts via the 'poster' parameter in the plyr shortcode due to inadequate input validation. When victims visit pages containing the injected payload, the attacker's scripts execute in their browsers, enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the UpMenu WordPress plugin through version 3.1 allows authenticated contributors and above to inject malicious scripts via the 'lang' shortcode attribute due to inadequate input sanitization and output escaping. When victims visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in WordPress Sphere Manager plugin through version 1.0.2 allows authenticated users with Contributor privileges or higher to inject malicious scripts via the 'width' parameter in shortcodes due to improper input sanitization. Injected scripts execute in the browsers of any user viewing the affected page, potentially compromising site visitors. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Ravelry Designs Widget WordPress plugin through version 1.0.0 allows authenticated contributors to inject malicious scripts into page shortcodes due to inadequate input sanitization. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. An active patch is not currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Authenticated attackers with Contributor access or higher can inject malicious scripts into WordPress pages via the QuestionPro Surveys plugin's 'questionpro' shortcode, exploiting inadequate input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available for versions up to 1.0.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The StyleBidet WordPress plugin through version 1.0.0 fails to properly sanitize URL path parameters, enabling unauthenticated attackers to inject malicious scripts that execute in victim browsers. An attacker can exploit this reflected XSS vulnerability by crafting a malicious link and tricking users into clicking it, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Address Bar Ads plugin for WordPress versions up to 1.0.0 contains a reflected cross-site scripting vulnerability in the URL path due to inadequate input sanitization, allowing unauthenticated attackers to inject malicious scripts that execute when users click on crafted links. This attack requires user interaction and affects the confidentiality and integrity of affected sites. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Stored XSS in the Geo Widget WordPress plugin through version 1.0 allows unauthenticated attackers to inject malicious scripts via insufficiently sanitized URL parameters that execute when users visit affected pages. The vulnerability requires user interaction to trigger but impacts all site visitors who access injected content. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The WP Quick Contact Us plugin for WordPress through version 1.0 lacks proper nonce validation in its settings update function, enabling unauthenticated attackers to modify plugin configuration through cross-site request forgery if a site administrator can be tricked into clicking a malicious link. This could allow attackers to alter plugin behavior and potentially compromise site functionality without direct authentication.

WordPress CSRF
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Arbitrary file upload in midi-Synth WordPress plugin via 'export' AJAX action.

WordPress RCE File Upload
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The MailChimp Campaigns WordPress plugin through version 3.2.4 lacks proper authorization checks on an AJAX function, allowing authenticated subscribers to disconnect the site's MailChimp integration. This capability bypass enables low-privileged users to disrupt automated email campaigns and marketing workflows. No patch is currently available.

WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the ZoomifyWP Free WordPress plugin through version 1.1 allows authenticated contributors and higher to inject malicious scripts via the filename parameter in the zoomify shortcode due to inadequate input sanitization. When other users visit pages containing the injected code, the scripts execute in their browsers, potentially compromising their sessions or data. No patch is currently available for this vulnerability.

WordPress Zoom XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Best-wp-google-map WordPress plugin through versions 2.1 allows authenticated contributors and above to inject malicious scripts via insufficiently sanitized latitude and longitude shortcode parameters. When other users view pages containing the injected shortcode, the attacker's scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Reflected XSS in the Super Simple Contact Form WordPress plugin through version 1.6.2 allows unauthenticated attackers to inject malicious scripts via the 'sscf_name' parameter due to inadequate input sanitization. An attacker can exploit this by tricking users into clicking a crafted link, causing arbitrary JavaScript to execute in their browsers and potentially leading to session hijacking or credential theft. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Payment Page | Payment Form for Stripe WordPress plugin (versions up to 1.4.6) allows authenticated users with Author-level permissions or higher to inject malicious scripts through the 'pricing_plan_select_text_font_family' parameter due to insufficient input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

User Language Switch (WordPress plugin) is affected by server-side request forgery (ssrf) (CVSS 7.2).

WordPress SSRF
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Chatbot for WordPress by Collect.chat (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in the WordPress User Language Switch plugin through the 'tab_color_picker_language_switch' parameter allows authenticated administrators to inject malicious scripts on multi-site installations or when unfiltered_html is disabled. The injected scripts execute in the context of other users accessing affected pages. This vulnerability affects all versions up to 1.6.10, with no patch currently available.

WordPress XSS
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Authenticated attackers with contributor-level access to WordPress sites can bypass authorization checks in the Accordion and Accordion Slider plugin (versions up to 1.4.5) to read and modify attachment metadata across the entire site. The vulnerability exists in improper permission validation within the attachment data handling functions, allowing unauthorized access to file paths, titles, captions, alt text, and custom links. No patch is currently available.

WordPress
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Allow HTML in Category Descriptions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in MasterStudy LMS WordPress Plugin versions up to 3.7.11 allows authenticated contributors and above to inject malicious scripts through the 'stm_lms_courses_grid_display' shortcode due to insufficient input sanitization and output escaping. When users access pages containing the injected payload, the arbitrary scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WordPress WP Data Access plugin versions up to 5.5.63 allows authenticated contributors and higher to inject malicious scripts into pages via the 'wpda_app' shortcode due to inadequate input sanitization. The injected scripts execute in the browsers of users viewing the affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

One to one user Chat by WPGuppy (WordPress plugin) is affected by missing authentication for critical function (CVSS 5.3).

WordPress PHP
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. [CVSS 4.3 MEDIUM]

WordPress CSRF
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can modify appointment statuses in the Bookr WordPress plugin (versions up to 1.0.2) due to a missing capability check on the REST API endpoint. This allows unauthorized data manipulation without authentication or user interaction. No patch is currently available for this vulnerability.

WordPress
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Privilege escalation in the Magic Login Mail or QR Code WordPress plugin (versions up to 2.05) allows unauthenticated attackers to hijack any user account, including administrator accounts, by exploiting a race condition in QR code file handling. The plugin creates QR code login images with predictable filenames in the public uploads directory and fails to delete them immediately after email transmission, enabling attackers to intercept the encoded login URLs. An attacker can trigger login requests for arbitrary users and extract valid authentication tokens during the window before file cleanup occurs.

WordPress Privilege Escalation Authentication Bypass
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

AMP Enhancer plugin for WordPress versions up to 1.0.49 allows authenticated administrators to inject stored XSS payloads through the Custom CSS setting due to insufficient input sanitization, affecting multi-site installations and those with unfiltered_html disabled. An attacker with admin-level access can execute arbitrary JavaScript in the context of user browsers visiting affected pages. A security patch is not yet available.

WordPress XSS
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized event deletion in the WordPress SEATT plugin through version 1.5.0 stems from inadequate CSRF protections on the event removal function. An attacker can trick site administrators into clicking a malicious link to remove arbitrary events without authentication. No patch is currently available for this vulnerability.

WordPress CSRF
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Citations tools WordPress plugin (versions up to 0.3.2) allows authenticated contributors and above to inject malicious scripts through insufficiently sanitized shortcode parameters, which execute in the browsers of users viewing affected pages. The vulnerability requires authentication but affects all site visitors who access pages containing the injected code. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Simple Wp colorfull Accordion (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
Prev Page 26 of 194 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy