Skip to main content

WordPress

17382 CVEs vendor

Monthly

CVE-2026-1754 MEDIUM This Month

The personal-authors-category WordPress plugin through version 0.3 contains a reflected XSS vulnerability in the URL path due to inadequate input validation and output encoding. Unauthenticated attackers can exploit this by crafting malicious links that, when clicked by victims, execute arbitrary JavaScript in their browsers. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1164 MEDIUM This Month

Stored XSS in the Easy Voice Mail WordPress plugin through version 1.2.5 allows authenticated administrators to inject malicious scripts via the message parameter due to inadequate input validation. An attacker with admin privileges can exploit this to execute arbitrary JavaScript in the browsers of users who access affected pages. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-0692 HIGH This Week

Unauthenticated attackers can forge IPN payment notifications in the BlueSnap Payment Gateway for WooCommerce plugin by spoofing whitelisted IP addresses through header manipulation, allowing them to arbitrarily modify order statuses without authorization. The vulnerability stems from improper IP validation in all versions up to 3.3.0, affecting WordPress installations with this payment plugin active. No patch is currently available.

WordPress Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-14608 MEDIUM This Month

The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the ...

WordPress PHP
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14067 MEDIUM This Month

Easy Form Builder (WordPress plugin) versions up to 3.9.3. is affected by missing authorization (CVSS 5.3).

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13973 MEDIUM This Month

The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.0.2. The plugin stores spam detection logs at a predictable publicly accessible location (wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt). This makes it possible for unauthenticated attackers to download the log file and access sensitive information including visitor IP addresses, email addresses, and comment snippets from contac...

WordPress Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13681 MEDIUM This Month

The BFG Tools - Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. [CVSS 4.9 MEDIUM]

WordPress PHP Path Traversal
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2026-1844 HIGH This Week

Stored XSS in WordPress PixelYourSite PRO plugin versions up to 12.4.0.2 allows unauthenticated attackers to inject malicious scripts through the 'pysTrafficSource' and 'pys_landing_page' parameters due to insufficient input validation and output encoding. When site visitors access pages containing injected payloads, the malicious scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-1841 HIGH This Week

Stored XSS in the PixelYourSite WordPress plugin through versions 11.2.0 allows unauthenticated attackers to inject malicious scripts via the 'pysTrafficSource' and 'pys_landing_page' parameters due to inadequate input sanitization and output escaping. When users visit pages containing injected payloads, the scripts execute in their browsers, potentially compromising sessions and stealing sensitive data. No patch is currently available, leaving all affected installations vulnerable.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-15157 HIGH This Week

The Starfish Review Generation & Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'srm_restore_options_defaults' function in all versions up to, and including, 3.1.19. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-15520 MEDIUM This Month

The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD WPScan
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1104 HIGH This Week

FastDup WordPress plugin versions up to 2.7.1 fail to validate user permissions on REST API endpoints, allowing Contributor-level authenticated users to create and download complete site backups including databases and configuration files. This HIGH severity vulnerability (CVSS 8.8) affects all WordPress installations using the affected plugin versions, with no patch currently available. An attacker with basic authenticated access can extract sensitive data and obtain a full copy of the WordPress installation for further exploitation.

WordPress
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-1320 HIGH This Week

Secure Copy Content Protection and Content Locking (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-1671 MEDIUM This Month

The Activity Log for WordPress plugin through version 1.2.8 fails to validate user permissions on the winter_activity_log_action() function, allowing authenticated subscribers and higher to access sensitive activity logs containing administrator credentials and other confidential data. An attacker with low-privilege WordPress access can exploit this missing capability check to read potentially sensitive information from exposed log files. No patch is currently available for this vulnerability.

WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1316 HIGH This Week

Customer Reviews for WooCommerce (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-1356 MEDIUM This Month

The Converter for Media WordPress plugin through version 6.5.1 contains a server-side request forgery vulnerability in the image loading function that allows unauthenticated attackers to make arbitrary web requests from the affected server. This could enable attackers to probe internal services and potentially read or modify sensitive data accessible from the web application. No patch is currently available.

WordPress SSRF
NVD
CVSS 3.1
4.8
EPSS
0.1%
CVE-2025-14892 CRITICAL Act Now

Privilege escalation in Prime Listing Manager WordPress plugin through 1.1 allows unauthenticated administrative access.

WordPress PHP
NVD WPScan
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-1537 MEDIUM This Month

The LatePoint Calendar Booking Plugin for WordPress versions up to 5.2.6 fails to validate user permissions on the load_step() function, allowing unauthenticated attackers to retrieve sensitive booking data such as customer names, emails, phone numbers, and appointment details. This network-accessible vulnerability requires no user interaction and affects all installations of the plugin without the patch. No patch is currently available to remediate this exposure.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1729 CRITICAL Act Now

Authentication bypass in AdForest WordPress theme (all versions through 6.0.12) allows unauthenticated attackers to take over any user account.

WordPress Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-13391 MEDIUM This Month

The Product Options and Price Calculation Formulas for WooCommerce - Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. [CVSS 5.8 MEDIUM]

WordPress Authentication Bypass
NVD
CVSS 3.1
5.8
EPSS
0.1%
CVE-2019-25315 MEDIUM POC This Month

WordPress Server Log Viewer 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unfiltered log file paths. Attackers can add log files with embedded XSS payloads that will execute when viewed in the WordPress admin interface. [CVSS 6.4 MEDIUM]

WordPress XSS
NVD GitHub Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2019-25314 MEDIUM POC This Month

Yoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces. [CVSS 5.5 MEDIUM]

WordPress XSS
NVD Exploit-DB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-0910 HIGH This Week

PHP object injection in wpForo Forum plugin versions up to 2.4.13 allows authenticated subscribers and above to deserialize untrusted data, potentially enabling arbitrary file deletion, data theft, or code execution if a POP chain exists in installed plugins or themes. The vulnerability requires an additional gadget chain to be exploitable, making its impact dependent on the broader plugin ecosystem of the target WordPress installation.

WordPress PHP Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-2295 MEDIUM This Month

Unauthenticated attackers can extract protected post metadata from WordPress sites running WPZOOM Addons for Elementor plugin version 1.3.2 and earlier due to missing capability validation in an AJAX function. The vulnerability enables disclosure of draft, future, and pending post titles and excerpts that should remain hidden from anonymous users. No patch is currently available.

WordPress Zoom
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-15096 HIGH This Week

The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access t...

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-1885 MEDIUM This Month

Stored XSS in WordPress Slideshow WP plugin through version 1.1 allows authenticated users with contributor-level access to inject malicious scripts via the 'sswpid' shortcode attribute due to insufficient input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, enabling attackers to steal session data or perform unauthorized actions. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1853 MEDIUM This Month

Stored XSS in BuddyHolis ListSearch plugin for WordPress through version 1.1 allows authenticated contributors and above to inject malicious scripts into pages via inadequately sanitized shortcode attributes. When site visitors access compromised pages, the injected scripts execute in their browsers, potentially enabling account hijacking, session theft, or malicious redirects. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1833 MEDIUM This Month

The WaMate Confirm Order Confirmation WordPress plugin through version 2.0.1 fails to enforce proper authorization checks, allowing authenticated subscribers and higher-privileged users to manipulate phone number blocking settings that should be restricted to administrators. This improper access control vulnerability enables low-privileged attackers to disrupt phone number management functionality without administrative consent.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1827 MEDIUM This Month

The Flask Micro code-editor plugin for WordPress through version 1.0.0 contains a stored cross-site scripting vulnerability in its codeflask shortcode due to inadequate input validation and output encoding. Authenticated users with contributor-level permissions or higher can inject malicious scripts that execute for all visitors accessing affected pages. No patch is currently available.

WordPress Flask XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1826 MEDIUM This Month

Stored XSS in OpenPOS Lite for WooCommerce plugin (versions up to 3.0) allows authenticated contributors and above to inject malicious scripts via the order_qrcode shortcode's width parameter, which execute when other users view affected pages. The vulnerability stems from inadequate input sanitization and output escaping, enabling attackers to compromise page content without user interaction. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1821 MEDIUM This Month

Stored cross-site scripting in the WordPress Microtango plugin through version 0.9.29 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'restkey' parameter that execute when other users view affected pages. The vulnerability stems from inadequate input sanitization and output escaping in the mt_reservation shortcode. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1809 MEDIUM This Month

Stored cross-site scripting in the HTML Tag Shortcodes WordPress plugin through version 1.1 allows authenticated contributors and above to execute arbitrary scripts on site pages through inadequately sanitized shortcode attributes. Affected users will run attacker-injected code whenever they visit compromised pages, potentially leading to session hijacking or malicious content injection.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1804 MEDIUM This Month

Stored XSS in the WDES Responsive Popup WordPress plugin through version 1.3.6 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'wdes-popup-title' shortcode due to inadequate input sanitization. When victims visit affected pages containing the injected payload, the scripts execute in their browsers, potentially compromising site integrity and user data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1786 MEDIUM This Month

The Twitter posts to Blog plugin for WordPress versions up to 1.11.25 lacks proper access controls on the settings function, allowing unauthenticated attackers to modify plugin configuration including Twitter API credentials and post parameters. This capability check bypass could enable attackers to hijack the plugin's functionality or escalate privileges within WordPress installations. No patch is currently available for this vulnerability.

WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1748 MEDIUM This Month

The Invoct PDF Invoices & Billing for WooCommerce plugin through version 1.6 fails to enforce capability checks, allowing authenticated Subscriber-level users to access sensitive data including invoice details, client information, and WordPress user email addresses. This privilege escalation vulnerability affects all WordPress installations using the affected plugin versions and has no available patch.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1560 HIGH This Week

Remote code execution in the Custom Block Builder - Lazy Blocks WordPress plugin through version 4.2.0 allows authenticated users with Contributor privileges or higher to execute arbitrary code on the server via vulnerable functions in the LazyBlocks_Blocks class. This high-severity vulnerability (CVSS 8.8) affects all installations of the affected plugin versions with no patch currently available.

WordPress RCE
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-1215 MEDIUM This Month

The MMA Call Tracking WordPress plugin through version 2.3.15 lacks proper CSRF protection on its admin configuration page, allowing attackers to modify call tracking settings by tricking site administrators into clicking malicious links. An unauthenticated attacker can alter plugin configurations without authorization through forged requests. No patch is currently available for this vulnerability.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0815 MEDIUM This Month

Stored XSS in WordPress Category Image plugin through version 2.0 allows authenticated users with Editor access or higher to inject malicious scripts via the tag-image parameter due to insufficient input validation. When other users view affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or site defacement. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0724 MEDIUM This Month

The WPlyr Media Block plugin for WordPress through version 1.3.0 contains a stored cross-site scripting vulnerability in the '_wplyr_accent_color' parameter due to inadequate input sanitization, allowing authenticated administrators to inject malicious scripts that execute in other users' browsers. This requires high-privilege access and manual user interaction but impacts site integrity and user security across affected pages.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-15440 HIGH This Week

The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-1357 CRITICAL POC Act Now

Unauthenticated arbitrary file upload in WPvivid Backup & Migration WordPress plugin. EPSS 0.44%.

WordPress PHP OpenSSL RCE Path Traversal
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-1235 MEDIUM This Month

WP eCommerce WordPre versions up to 3.15.1 is affected by deserialization of untrusted data (CVSS 6.5).

WordPress PHP Deserialization
NVD WPScan
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15400 MEDIUM This Month

The Pix para Woocommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass
NVD WPScan
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1893 MEDIUM This Month

Orbisius Random Name Generator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1231 MEDIUM This Month

Stored cross-site scripting in Beaver Builder Page Builder plugin for WordPress through version 2.10.0.5 allows authenticated users with Custom-level access or higher to inject malicious scripts into global settings that execute for all site visitors. The vulnerability stems from missing capability checks and insufficient input sanitization in the save_global_settings() function. Attackers can exploit this to deface pages, steal credentials, or perform actions on behalf of other users viewing affected content.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-15524 MEDIUM This Month

The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_info() function in all versions up to, and including, 3.1.9. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14541 HIGH This Week

Lucky Wheel Giveaway (WordPress plugin) versions up to 1.0.22 is affected by code injection (CVSS 7.2).

WordPress RCE PHP
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2025-13431 MEDIUM This Month

The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the ‘args’ parameter in all versions up to, and including, 5.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]

WordPress Industrial SQLi PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2268 HIGH This Week

Unauthenticated attackers can extract arbitrary post metadata from WordPress sites running Ninja Forms plugin versions up to 3.14.0 through improper merge tag filtering in repeater fields, potentially exposing sensitive data like API keys, billing information, and customer details. The vulnerability is exploitable remotely without authentication via the nf_ajax_submit AJAX action and currently lacks a patch.

WordPress Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-1922 MEDIUM This Month

Stored cross-site scripting in The Events Calendar Shortcode & Block plugin for WordPress up to version 3.1.2 allows authenticated users with contributor-level access to inject malicious scripts through the `ecs-list-events` shortcode's `message` attribute due to inadequate input sanitization. When injected pages are accessed by other users, the malicious scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. A patch is not currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1866 HIGH This Week

The Name Directory WordPress plugin through version 1.32.0 contains a stored cross-site scripting vulnerability in its sanitization logic that allows unauthenticated attackers to inject malicious scripts through the public submission form. Attackers can exploit this by submitting content with double-encoded HTML entities that bypass security filters, and the injected scripts will execute when administrators or users view the affected pages if the submission is approved or auto-publish is enabled. This affects all installations of the vulnerable plugin versions with no patch currently available.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-14895 MEDIUM This Month

The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. [CVSS 5.4 MEDIUM]

WordPress Industrial PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1722 MEDIUM This Month

Unauthenticated attackers can exploit an authorization bypass in the WCFM Marketplace plugin for WordPress (versions up to 3.7.0) to create arbitrary refund requests via the wcfm-refund-requests-form AJAX endpoint. This IDOR vulnerability allows unauthorized refund submissions for any order, potentially resulting in financial losses if automatic refund processing is enabled. No patch is currently available.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-0996 MEDIUM This Month

Stored cross-site scripting in the Fluent Forms WordPress plugin's AI Form Builder module (versions up to 6.1.14) enables authenticated subscribers to inject malicious scripts that execute for all users viewing affected forms through missing authorization checks, leaked nonces, and insufficient input sanitization of AI-generated content. An attacker with subscriber-level access can exploit this to perform actions on behalf of administrators or steal sensitive information from form viewers. The vulnerability affects WordPress installations using this plugin and has no patch currently available.

WordPress XSS AI / ML
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0845 HIGH This Week

Unauthorized option modification in WCFM - Frontend Manager for WooCommerce up to version 6.7.24 allows authenticated Shop Manager-level users to bypass capability checks and alter arbitrary WordPress settings. An attacker with these privileges can exploit this to change the default registration role to administrator and enable user registration, gaining full admin access to the site. No patch is currently available for this vulnerability.

WordPress Privilege Escalation
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-15147 MEDIUM This Month

WooCommerce Memberships for Multivendor Marketplace versions up to 2.11.8 is affected by authorization bypass through user-controlled key (CVSS 4.3).

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0632 MEDIUM This Month

Fluent Forms Pro Add On Pack (WordPress plugin) is affected by server-side request forgery (ssrf) (CVSS 5.4).

WordPress SSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-15100 HIGH This Week

The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_panel_ajax_update_profile' function. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-15027 CRITICAL Act Now

Privilege escalation in JAY Login & Register WordPress plugin allows unauthenticated attackers to register as administrators. All versions up to 1.1.6 affected.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-1675 MEDIUM This Month

Advanced Country Blocker (WordPress plugin) versions up to 2.3.1 contains a security vulnerability (CVSS 5.3).

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1643 MEDIUM This Month

Reflected XSS in the WordPress MP-Ukagaka plugin through version 1.5.2 allows unauthenticated attackers to inject malicious scripts into web pages due to insufficient input sanitization and output escaping. An attacker can exploit this by tricking users into clicking a malicious link, causing arbitrary JavaScript to execute in their browsers. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1634 MEDIUM This Month

The Subitem AL Slider plugin for WordPress through version 1.0.0 fails to properly sanitize the PHP_SELF parameter, allowing unauthenticated attackers to inject malicious scripts through a crafted link. An attacker can trick users into clicking a malicious URL to execute arbitrary JavaScript in their browser sessions. No patch is currently available for this reflected XSS vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1613 MEDIUM This Month

Stored XSS in the Wonka Slide WordPress plugin (versions up to 1.3.3) allows authenticated users with contributor-level permissions to inject malicious scripts through the `list_class` shortcode attribute due to inadequate input sanitization. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1611 MEDIUM This Month

Stored XSS in WordPress Wikiloops Track Player plugin (versions up to 1.0.1) allows authenticated contributors and above to inject malicious scripts through the wikiloops shortcode due to inadequate input sanitization and output escaping. Injected scripts execute in the browsers of users viewing affected pages, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1608 MEDIUM This Month

Stored cross-site scripting in the WordPress Video Onclick plugin through version 0.4.7 allows authenticated contributors and above to inject malicious scripts into pages via the youtube shortcode due to inadequate input sanitization. When users access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive information. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1573 MEDIUM This Month

Stored XSS in the OMIGO WordPress plugin through version 3.3 allows authenticated contributors and above to inject malicious scripts via the omigo_donate_button shortcode due to inadequate input sanitization, executing arbitrary code when users view affected pages. The vulnerability requires low privileges but impacts all users accessing compromised content, with no available patch as of now.

WordPress Golang XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1570 MEDIUM This Month

Simple Bible Verse via Shortcode (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1082 MEDIUM This Month

The TITLE ANIMATOR plugin for WordPress lacks CSRF protection on its settings page, allowing unauthenticated attackers to modify plugin configuration through forged requests if a site administrator clicks a malicious link. This vulnerability affects all versions up to 1.0 and requires social engineering to exploit but poses a direct integrity risk to plugin functionality and site configuration.

WordPress PHP CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0555 MEDIUM This Month

The Premmerce WordPress plugin through version 1.3.20 contains a stored cross-site scripting vulnerability in the wizard AJAX endpoint due to inadequate input sanitization and output escaping on the state parameter. Authenticated users with subscriber-level permissions can inject malicious scripts that execute in the admin wizard interface when accessed by other users. No patch is currently available for this medium-severity vulnerability affecting plugin installations.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-15477 MEDIUM This Month

The Bucketlister plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode `category` and `id` attributes in all versions up to, and including, 0.1.5 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]

WordPress SQLi PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15476 MEDIUM This Month

The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-15491 MEDIUM This Month

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks [CVSS 5.5 MEDIUM]

WordPress LFI PHP
NVD WPScan
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-15267 MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13463 MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12803 MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12159 MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_raw_content shortcode in all versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1293 MEDIUM This Month

Authenticated contributors and above can inject malicious scripts into WordPress pages through the Yoast SEO plugin (versions up to 26.8) by exploiting inadequate sanitization of the yoast-schema block attribute. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user data or session security. No patch is currently available for this stored cross-site scripting vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1785 MEDIUM This Month

The Code Snippets WordPress plugin through version 3.9.4 lacks nonce validation on cloud snippet operations, allowing unauthenticated attackers to conduct cross-site request forgery attacks against logged-in administrators. By tricking an admin into visiting a malicious page, attackers can force unauthorized downloads or updates of cloud snippets. No patch is currently available for this vulnerability.

WordPress CSRF
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1499 HIGH This Week

WP Duplicate WordPress plugin has a missing authorization vulnerability leading to arbitrary file deletion that can destroy the WordPress installation.

WordPress RCE Authentication Bypass Path Traversal File Upload
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2026-1252 MEDIUM This Month

Stored XSS in the Events Listing Widget plugin for WordPress (versions ≤1.3.4) allows authenticated users with Author privileges or higher to inject malicious scripts through the Event URL parameter due to inadequate input validation. An attacker exploiting this vulnerability can execute arbitrary JavaScript in pages viewed by other users. No patch is currently available for this medium-severity vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1279 MEDIUM This Month

The Employee Directory plugin for WordPress through version 1.2.1 contains a stored cross-site scripting vulnerability in the search_employee_directory shortcode due to inadequate input validation on the form_title parameter. Authenticated users with Contributor privileges or higher can inject malicious scripts that persist in pages and execute in browsers of any user viewing the affected content. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1909 MEDIUM This Month

Stored XSS in WaveSurfer-WP plugin through improper sanitization of the audio shortcode 'src' attribute allows authenticated users with Contributor access or higher to inject malicious scripts into WordPress pages. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available for versions up to 2.8.3.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1888 MEDIUM This Month

Authenticated WordPress users with Contributor access or higher can inject persistent malicious scripts into pages through the Docus - YouTube Video Playlist plugin (versions up to 1.0.6) via improper handling of shortcode attributes. These injected scripts execute in the browsers of any visitor to the affected pages, potentially compromising user sessions and data. No patch is currently available for this stored XSS vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1808 MEDIUM This Month

Stored cross-site scripting in the Orange Confort+ accessibility toolbar WordPress plugin through version 0.7 allows authenticated contributors and higher-privileged users to inject malicious scripts via the ocplus_button shortcode's style parameter due to inadequate input sanitization. When other users visit pages containing the injected content, the arbitrary scripts execute in their browsers, potentially compromising sessions or stealing sensitive data.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1401 MEDIUM This Month

Stored XSS in WordPress Tune Library plugin versions up to 1.6.3 allows authenticated users with Subscriber access to inject malicious scripts via CSV import due to inadequate input sanitization and output escaping. Attackers can execute arbitrary JavaScript in the context of any user viewing affected pages through the [tune-library] shortcode. No patch is currently available and exploitation requires valid WordPress credentials.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-10753 MEDIUM This Month

The OAuth Single Sign On - SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-1228 MEDIUM This Month

plugin versions up to 1.3.3 is affected by authorization bypass through user-controlled key (CVSS 4.3).

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1927 MEDIUM This Month

The Greenshift animation and page builder plugin for WordPress (up to version 12.6) fails to properly validate user capabilities on the greenshift_app_pass_validation() function, allowing authenticated subscribers and above to extract sensitive plugin configuration including stored AI API keys and inject malicious scripts through the custom_css setting. This combination of information disclosure and stored cross-site scripting (XSS) requires only valid WordPress user credentials to exploit, with a partial patch available in version 12.6.

WordPress Authentication Bypass XSS
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1654 MEDIUM This Month

Peter's Date Countdown plugin for WordPress through version 2.0.0 contains a reflected cross-site scripting vulnerability in the PHP_SELF parameter that allows unauthenticated attackers to inject malicious scripts. Exploitation requires social engineering to trick users into clicking a malicious link, but successful attacks can compromise user sessions and steal sensitive data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1294 HIGH This Week

All In One Image Viewer Block (WordPress plugin) is affected by server-side request forgery (ssrf) (CVSS 7.2).

WordPress SSRF
NVD
CVSS 3.1
7.2
EPSS
0.0%
EPSS 0% CVSS 6.1
MEDIUM This Month

The personal-authors-category WordPress plugin through version 0.3 contains a reflected XSS vulnerability in the URL path due to inadequate input validation and output encoding. Unauthenticated attackers can exploit this by crafting malicious links that, when clicked by victims, execute arbitrary JavaScript in their browsers. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Stored XSS in the Easy Voice Mail WordPress plugin through version 1.2.5 allows authenticated administrators to inject malicious scripts via the message parameter due to inadequate input validation. An attacker with admin privileges can exploit this to execute arbitrary JavaScript in the browsers of users who access affected pages. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can forge IPN payment notifications in the BlueSnap Payment Gateway for WooCommerce plugin by spoofing whitelisted IP addresses through header manipulation, allowing them to arbitrarily modify order statuses without authorization. The vulnerability stems from improper IP validation in all versions up to 3.3.0, affecting WordPress installations with this payment plugin active. No patch is currently available.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the ...

WordPress PHP
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Easy Form Builder (WordPress plugin) versions up to 3.9.3. is affected by missing authorization (CVSS 5.3).

WordPress PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.0.2. The plugin stores spam detection logs at a predictable publicly accessible location (wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt). This makes it possible for unauthenticated attackers to download the log file and access sensitive information including visitor IP addresses, email addresses, and comment snippets from contac...

WordPress Information Disclosure PHP
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

The BFG Tools - Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. [CVSS 4.9 MEDIUM]

WordPress PHP Path Traversal
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored XSS in WordPress PixelYourSite PRO plugin versions up to 12.4.0.2 allows unauthenticated attackers to inject malicious scripts through the 'pysTrafficSource' and 'pys_landing_page' parameters due to insufficient input validation and output encoding. When site visitors access pages containing injected payloads, the malicious scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored XSS in the PixelYourSite WordPress plugin through versions 11.2.0 allows unauthenticated attackers to inject malicious scripts via the 'pysTrafficSource' and 'pys_landing_page' parameters due to inadequate input sanitization and output escaping. When users visit pages containing injected payloads, the scripts execute in their browsers, potentially compromising sessions and stealing sensitive data. No patch is currently available, leaving all affected installations vulnerable.

WordPress XSS
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Starfish Review Generation & Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'srm_restore_options_defaults' function in all versions up to, and including, 3.1.19. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD WPScan
EPSS 0% CVSS 8.8
HIGH This Week

FastDup WordPress plugin versions up to 2.7.1 fail to validate user permissions on REST API endpoints, allowing Contributor-level authenticated users to create and download complete site backups including databases and configuration files. This HIGH severity vulnerability (CVSS 8.8) affects all WordPress installations using the affected plugin versions, with no patch currently available. An attacker with basic authenticated access can extract sensitive data and obtain a full copy of the WordPress installation for further exploitation.

WordPress
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Secure Copy Content Protection and Content Locking (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The Activity Log for WordPress plugin through version 1.2.8 fails to validate user permissions on the winter_activity_log_action() function, allowing authenticated subscribers and higher to access sensitive activity logs containing administrator credentials and other confidential data. An attacker with low-privilege WordPress access can exploit this missing capability check to read potentially sensitive information from exposed log files. No patch is currently available for this vulnerability.

WordPress
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Customer Reviews for WooCommerce (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress XSS
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

The Converter for Media WordPress plugin through version 6.5.1 contains a server-side request forgery vulnerability in the image loading function that allows unauthenticated attackers to make arbitrary web requests from the affected server. This could enable attackers to probe internal services and potentially read or modify sensitive data accessible from the web application. No patch is currently available.

WordPress SSRF
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in Prime Listing Manager WordPress plugin through 1.1 allows unauthenticated administrative access.

WordPress PHP
NVD WPScan
EPSS 0% CVSS 5.3
MEDIUM This Month

The LatePoint Calendar Booking Plugin for WordPress versions up to 5.2.6 fails to validate user permissions on the load_step() function, allowing unauthenticated attackers to retrieve sensitive booking data such as customer names, emails, phone numbers, and appointment details. This network-accessible vulnerability requires no user interaction and affects all installations of the plugin without the patch. No patch is currently available to remediate this exposure.

WordPress
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in AdForest WordPress theme (all versions through 6.0.12) allows unauthenticated attackers to take over any user account.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 5.8
MEDIUM This Month

The Product Options and Price Calculation Formulas for WooCommerce - Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. [CVSS 5.8 MEDIUM]

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 6.4
MEDIUM POC This Month

WordPress Server Log Viewer 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unfiltered log file paths. Attackers can add log files with embedded XSS payloads that will execute when viewed in the WordPress admin interface. [CVSS 6.4 MEDIUM]

WordPress XSS
NVD GitHub Exploit-DB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Yoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces. [CVSS 5.5 MEDIUM]

WordPress XSS
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH This Week

PHP object injection in wpForo Forum plugin versions up to 2.4.13 allows authenticated subscribers and above to deserialize untrusted data, potentially enabling arbitrary file deletion, data theft, or code execution if a POP chain exists in installed plugins or themes. The vulnerability requires an additional gadget chain to be exploitable, making its impact dependent on the broader plugin ecosystem of the target WordPress installation.

WordPress PHP Deserialization
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can extract protected post metadata from WordPress sites running WPZOOM Addons for Elementor plugin version 1.3.2 and earlier due to missing capability validation in an AJAX function. The vulnerability enables disclosure of draft, future, and pending post titles and excerpts that should remain hidden from anonymous users. No patch is currently available.

WordPress Zoom
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access t...

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WordPress Slideshow WP plugin through version 1.1 allows authenticated users with contributor-level access to inject malicious scripts via the 'sswpid' shortcode attribute due to insufficient input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, enabling attackers to steal session data or perform unauthorized actions. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in BuddyHolis ListSearch plugin for WordPress through version 1.1 allows authenticated contributors and above to inject malicious scripts into pages via inadequately sanitized shortcode attributes. When site visitors access compromised pages, the injected scripts execute in their browsers, potentially enabling account hijacking, session theft, or malicious redirects. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The WaMate Confirm Order Confirmation WordPress plugin through version 2.0.1 fails to enforce proper authorization checks, allowing authenticated subscribers and higher-privileged users to manipulate phone number blocking settings that should be restricted to administrators. This improper access control vulnerability enables low-privileged attackers to disrupt phone number management functionality without administrative consent.

WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Flask Micro code-editor plugin for WordPress through version 1.0.0 contains a stored cross-site scripting vulnerability in its codeflask shortcode due to inadequate input validation and output encoding. Authenticated users with contributor-level permissions or higher can inject malicious scripts that execute for all visitors accessing affected pages. No patch is currently available.

WordPress Flask XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in OpenPOS Lite for WooCommerce plugin (versions up to 3.0) allows authenticated contributors and above to inject malicious scripts via the order_qrcode shortcode's width parameter, which execute when other users view affected pages. The vulnerability stems from inadequate input sanitization and output escaping, enabling attackers to compromise page content without user interaction. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the WordPress Microtango plugin through version 0.9.29 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'restkey' parameter that execute when other users view affected pages. The vulnerability stems from inadequate input sanitization and output escaping in the mt_reservation shortcode. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the HTML Tag Shortcodes WordPress plugin through version 1.1 allows authenticated contributors and above to execute arbitrary scripts on site pages through inadequately sanitized shortcode attributes. Affected users will run attacker-injected code whenever they visit compromised pages, potentially leading to session hijacking or malicious content injection.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the WDES Responsive Popup WordPress plugin through version 1.3.6 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'wdes-popup-title' shortcode due to inadequate input sanitization. When victims visit affected pages containing the injected payload, the scripts execute in their browsers, potentially compromising site integrity and user data. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The Twitter posts to Blog plugin for WordPress versions up to 1.11.25 lacks proper access controls on the settings function, allowing unauthenticated attackers to modify plugin configuration including Twitter API credentials and post parameters. This capability check bypass could enable attackers to hijack the plugin's functionality or escalate privileges within WordPress installations. No patch is currently available for this vulnerability.

WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Invoct PDF Invoices & Billing for WooCommerce plugin through version 1.6 fails to enforce capability checks, allowing authenticated Subscriber-level users to access sensitive data including invoice details, client information, and WordPress user email addresses. This privilege escalation vulnerability affects all WordPress installations using the affected plugin versions and has no available patch.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in the Custom Block Builder - Lazy Blocks WordPress plugin through version 4.2.0 allows authenticated users with Contributor privileges or higher to execute arbitrary code on the server via vulnerable functions in the LazyBlocks_Blocks class. This high-severity vulnerability (CVSS 8.8) affects all installations of the affected plugin versions with no patch currently available.

WordPress RCE
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The MMA Call Tracking WordPress plugin through version 2.3.15 lacks proper CSRF protection on its admin configuration page, allowing attackers to modify call tracking settings by tricking site administrators into clicking malicious links. An unauthenticated attacker can alter plugin configurations without authorization through forged requests. No patch is currently available for this vulnerability.

WordPress CSRF
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in WordPress Category Image plugin through version 2.0 allows authenticated users with Editor access or higher to inject malicious scripts via the tag-image parameter due to insufficient input validation. When other users view affected pages, the injected scripts execute in their browsers, potentially enabling session hijacking, credential theft, or site defacement. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

The WPlyr Media Block plugin for WordPress through version 1.3.0 contains a stored cross-site scripting vulnerability in the '_wplyr_accent_color' parameter due to inadequate input sanitization, allowing authenticated administrators to inject malicious scripts that execute in other users' browsers. This requires high-privilege access and manual user interaction but impacts site integrity and user security across affected pages.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Unauthenticated arbitrary file upload in WPvivid Backup & Migration WordPress plugin. EPSS 0.44%.

WordPress PHP OpenSSL +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

WP eCommerce WordPre versions up to 3.15.1 is affected by deserialization of untrusted data (CVSS 6.5).

WordPress PHP Deserialization
NVD WPScan
EPSS 0% CVSS 6.5
MEDIUM This Month

The Pix para Woocommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass
NVD WPScan
EPSS 0% CVSS 6.4
MEDIUM This Month

Orbisius Random Name Generator (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Beaver Builder Page Builder plugin for WordPress through version 2.10.0.5 allows authenticated users with Custom-level access or higher to inject malicious scripts into global settings that execute for all site visitors. The vulnerability stems from missing capability checks and insufficient input sanitization in the save_global_settings() function. Attackers can exploit this to deface pages, steal credentials, or perform actions on behalf of other users viewing affected content.

WordPress XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_info() function in all versions up to, and including, 3.1.9. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Lucky Wheel Giveaway (WordPress plugin) versions up to 1.0.22 is affected by code injection (CVSS 7.2).

WordPress RCE PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the ‘args’ parameter in all versions up to, and including, 5.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]

WordPress Industrial SQLi +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated attackers can extract arbitrary post metadata from WordPress sites running Ninja Forms plugin versions up to 3.14.0 through improper merge tag filtering in repeater fields, potentially exposing sensitive data like API keys, billing information, and customer details. The vulnerability is exploitable remotely without authentication via the nf_ajax_submit AJAX action and currently lacks a patch.

WordPress Information Disclosure
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in The Events Calendar Shortcode & Block plugin for WordPress up to version 3.1.2 allows authenticated users with contributor-level access to inject malicious scripts through the `ecs-list-events` shortcode's `message` attribute due to inadequate input sanitization. When injected pages are accessed by other users, the malicious scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. A patch is not currently available.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The Name Directory WordPress plugin through version 1.32.0 contains a stored cross-site scripting vulnerability in its sanitization logic that allows unauthenticated attackers to inject malicious scripts through the public submission form. Attackers can exploit this by submitting content with double-encoded HTML entities that bypass security filters, and the injected scripts will execute when administrators or users view the affected pages if the submission is approved or auto-publish is enabled. This affects all installations of the vulnerable plugin versions with no patch currently available.

WordPress XSS
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. [CVSS 5.4 MEDIUM]

WordPress Industrial PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can exploit an authorization bypass in the WCFM Marketplace plugin for WordPress (versions up to 3.7.0) to create arbitrary refund requests via the wcfm-refund-requests-form AJAX endpoint. This IDOR vulnerability allows unauthorized refund submissions for any order, potentially resulting in financial losses if automatic refund processing is enabled. No patch is currently available.

WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Fluent Forms WordPress plugin's AI Form Builder module (versions up to 6.1.14) enables authenticated subscribers to inject malicious scripts that execute for all users viewing affected forms through missing authorization checks, leaked nonces, and insufficient input sanitization of AI-generated content. An attacker with subscriber-level access can exploit this to perform actions on behalf of administrators or steal sensitive information from form viewers. The vulnerability affects WordPress installations using this plugin and has no patch currently available.

WordPress XSS AI / ML
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Unauthorized option modification in WCFM - Frontend Manager for WooCommerce up to version 6.7.24 allows authenticated Shop Manager-level users to bypass capability checks and alter arbitrary WordPress settings. An attacker with these privileges can exploit this to change the default registration role to administrator and enable user registration, gaining full admin access to the site. No patch is currently available for this vulnerability.

WordPress Privilege Escalation
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

WooCommerce Memberships for Multivendor Marketplace versions up to 2.11.8 is affected by authorization bypass through user-controlled key (CVSS 4.3).

WordPress PHP
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Fluent Forms Pro Add On Pack (WordPress plugin) is affected by server-side request forgery (ssrf) (CVSS 5.4).

WordPress SSRF
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_panel_ajax_update_profile' function. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Privilege escalation in JAY Login & Register WordPress plugin allows unauthenticated attackers to register as administrators. All versions up to 1.1.6 affected.

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Advanced Country Blocker (WordPress plugin) versions up to 2.3.1 contains a security vulnerability (CVSS 5.3).

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in the WordPress MP-Ukagaka plugin through version 1.5.2 allows unauthenticated attackers to inject malicious scripts into web pages due to insufficient input sanitization and output escaping. An attacker can exploit this by tricking users into clicking a malicious link, causing arbitrary JavaScript to execute in their browsers. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Subitem AL Slider plugin for WordPress through version 1.0.0 fails to properly sanitize the PHP_SELF parameter, allowing unauthenticated attackers to inject malicious scripts through a crafted link. An attacker can trick users into clicking a malicious URL to execute arbitrary JavaScript in their browser sessions. No patch is currently available for this reflected XSS vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Wonka Slide WordPress plugin (versions up to 1.3.3) allows authenticated users with contributor-level permissions to inject malicious scripts through the `list_class` shortcode attribute due to inadequate input sanitization. When other users visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WordPress Wikiloops Track Player plugin (versions up to 1.0.1) allows authenticated contributors and above to inject malicious scripts through the wikiloops shortcode due to inadequate input sanitization and output escaping. Injected scripts execute in the browsers of users viewing affected pages, potentially compromising user sessions or stealing sensitive data. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the WordPress Video Onclick plugin through version 0.4.7 allows authenticated contributors and above to inject malicious scripts into pages via the youtube shortcode due to inadequate input sanitization. When users access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive information. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the OMIGO WordPress plugin through version 3.3 allows authenticated contributors and above to inject malicious scripts via the omigo_donate_button shortcode due to inadequate input sanitization, executing arbitrary code when users view affected pages. The vulnerability requires low privileges but impacts all users accessing compromised content, with no available patch as of now.

WordPress Golang XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Simple Bible Verse via Shortcode (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The TITLE ANIMATOR plugin for WordPress lacks CSRF protection on its settings page, allowing unauthenticated attackers to modify plugin configuration through forged requests if a site administrator clicks a malicious link. This vulnerability affects all versions up to 1.0 and requires social engineering to exploit but poses a direct integrity risk to plugin functionality and site configuration.

WordPress PHP CSRF
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Premmerce WordPress plugin through version 1.3.20 contains a stored cross-site scripting vulnerability in the wizard AJAX endpoint due to inadequate input sanitization and output escaping on the state parameter. Authenticated users with subscriber-level permissions can inject malicious scripts that execute in the admin wizard interface when accessed by other users. No patch is currently available for this medium-severity vulnerability affecting plugin installations.

WordPress XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The Bucketlister plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode `category` and `id` attributes in all versions up to, and including, 0.1.5 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. [CVSS 6.5 MEDIUM]

WordPress SQLi PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks [CVSS 5.5 MEDIUM]

WordPress LFI PHP
NVD WPScan
EPSS 0% CVSS 6.4
MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_raw_content shortcode in all versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Authenticated contributors and above can inject malicious scripts into WordPress pages through the Yoast SEO plugin (versions up to 26.8) by exploiting inadequate sanitization of the yoast-schema block attribute. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user data or session security. No patch is currently available for this stored cross-site scripting vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Code Snippets WordPress plugin through version 3.9.4 lacks nonce validation on cloud snippet operations, allowing unauthenticated attackers to conduct cross-site request forgery attacks against logged-in administrators. By tricking an admin into visiting a malicious page, attackers can force unauthorized downloads or updates of cloud snippets. No patch is currently available for this vulnerability.

WordPress CSRF
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

WP Duplicate WordPress plugin has a missing authorization vulnerability leading to arbitrary file deletion that can destroy the WordPress installation.

WordPress RCE Authentication Bypass +2
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Events Listing Widget plugin for WordPress (versions ≤1.3.4) allows authenticated users with Author privileges or higher to inject malicious scripts through the Event URL parameter due to inadequate input validation. An attacker exploiting this vulnerability can execute arbitrary JavaScript in pages viewed by other users. No patch is currently available for this medium-severity vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Employee Directory plugin for WordPress through version 1.2.1 contains a stored cross-site scripting vulnerability in the search_employee_directory shortcode due to inadequate input validation on the form_title parameter. Authenticated users with Contributor privileges or higher can inject malicious scripts that persist in pages and execute in browsers of any user viewing the affected content. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WaveSurfer-WP plugin through improper sanitization of the audio shortcode 'src' attribute allows authenticated users with Contributor access or higher to inject malicious scripts into WordPress pages. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available for versions up to 2.8.3.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Authenticated WordPress users with Contributor access or higher can inject persistent malicious scripts into pages through the Docus - YouTube Video Playlist plugin (versions up to 1.0.6) via improper handling of shortcode attributes. These injected scripts execute in the browsers of any visitor to the affected pages, potentially compromising user sessions and data. No patch is currently available for this stored XSS vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Orange Confort+ accessibility toolbar WordPress plugin through version 0.7 allows authenticated contributors and higher-privileged users to inject malicious scripts via the ocplus_button shortcode's style parameter due to inadequate input sanitization. When other users visit pages containing the injected content, the arbitrary scripts execute in their browsers, potentially compromising sessions or stealing sensitive data.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in WordPress Tune Library plugin versions up to 1.6.3 allows authenticated users with Subscriber access to inject malicious scripts via CSV import due to inadequate input sanitization and output escaping. Attackers can execute arbitrary JavaScript in the context of any user viewing affected pages through the [tune-library] shortcode. No patch is currently available and exploitation requires valid WordPress credentials.

WordPress XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The OAuth Single Sign On - SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

plugin versions up to 1.3.3 is affected by authorization bypass through user-controlled key (CVSS 4.3).

WordPress
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The Greenshift animation and page builder plugin for WordPress (up to version 12.6) fails to properly validate user capabilities on the greenshift_app_pass_validation() function, allowing authenticated subscribers and above to extract sensitive plugin configuration including stored AI API keys and inject malicious scripts through the custom_css setting. This combination of information disclosure and stored cross-site scripting (XSS) requires only valid WordPress user credentials to exploit, with a partial patch available in version 12.6.

WordPress Authentication Bypass XSS
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Peter's Date Countdown plugin for WordPress through version 2.0.0 contains a reflected cross-site scripting vulnerability in the PHP_SELF parameter that allows unauthenticated attackers to inject malicious scripts. Exploitation requires social engineering to trick users into clicking a malicious link, but successful attacks can compromise user sessions and steal sensitive data. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

All In One Image Viewer Block (WordPress plugin) is affected by server-side request forgery (ssrf) (CVSS 7.2).

WordPress SSRF
NVD
Prev Page 27 of 194 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy