Skip to main content

WordPress

17354 CVEs vendor

Monthly

CVE-2026-15297 MEDIUM This Month

Reflected Cross-Site Scripting in the Brevo (formerly Sendinblue) Newsletter, SMTP, Email marketing and Subscribe forms WordPress plugin allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in victims' browsers through a crafted URL containing a malicious payload in the `page` parameter. All plugin versions up to and including 3.1.77 are affected, with the root flaw traced to insufficient input sanitization and output escaping in `inc/table-forms.php` at line 102. No active exploitation has been confirmed in CISA KEV, and no POC code is identified in the provided data, though the CVSS scope-change rating (S:C) elevates the effective impact beyond the plugin's own context.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-15296 MEDIUM This Month

Stored Cross-Site Scripting in the affiliate-toolkit WP Affiliate Plugin with Amazon (versions through 3.7.0) allows authenticated contributors to inject persistent malicious scripts via the 'atkp_product' shortcode due to unsanitized user-supplied attributes. This represents a bypass of the previously patched CVE-2024-10227, indicating the prior fix was incomplete. Any WordPress user - including administrators - who loads a page containing the injected shortcode will execute the attacker's script in their browser, enabling session theft, credential harvesting, or unauthorized admin actions. No public exploit or CISA KEV listing is identified at time of analysis.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-15293 HIGH This Week

Privilege escalation in the WP Business Intelligence Lite WordPress plugin (all versions through 3.2.0) allows authenticated Subscriber-level users to tamper with stored SQL queries because the plugin fails to enforce a capability/authorization check on the query-modification action (CWE-862). When an administrator later views the maliciously altered query, the attacker's arbitrary SQL executes in the admin context, enabling account takeover or full site compromise. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; it was reported through the Wordfence threat intelligence program.

Authentication Bypass WordPress Privilege Escalation
NVD
CVSS 3.1
8.0
EPSS
0.3%
CVE-2026-15292 MEDIUM This Month

Stored Cross-Site Scripting in the Sudoku Shortcode WordPress plugin (all versions through 1.0.0) allows authenticated Contributors to inject persistent malicious scripts via the unsanitized 'background' parameter of the 'sudoku-sc' shortcode. Once injected into a page or post, the payload executes in the browser of every subsequent visitor, including administrators, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, though Wordfence has catalogued the vulnerability in their threat intelligence database.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15291 HIGH This Week

{id} REST endpoints, which ship with no authentication or authorization checks. Any anonymous visitor can harvest customer PII - names, emails, phone numbers, WhatsApp message contents, full geolocation (IP, city, country, ISP, coordinates), device fingerprints, and even WordPress account details (user IDs, usernames, emails) for logged-in users who submitted the form. There is no public exploit identified at time of analysis and it is not on CISA KEV, but exploitation is trivial and requires only an HTTP client.

Authentication Bypass WordPress Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-15290 HIGH This Week

Blind SQL injection in the Ultimate Member WordPress plugin (all versions through 2.10.1) lets unauthenticated attackers inject arbitrary SQL through the member-directory search parameter, enabling extraction of sensitive database contents such as password hashes and user records. The flaw is a residual gap from the earlier CVE-2025-0308 fix, which was only partially remediated in 2.9.2. No public exploit has been identified at time of analysis, but the plugin's large install base and unauthenticated network reachability make it an attractive target.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-15289 MEDIUM This Month

Time-based SQL Injection in the Booking Calendar, Appointment Booking System WordPress plugin (versions ≤ 3.2.17) permits unauthenticated remote attackers to extract sensitive database contents via the 'wpdevart_id' parameter. The flaw exists in main_class.php due to insufficient parameter escaping and unprepared SQL queries, but is only triggerable when the Pro version is installed with the 'Delete previous dates' option enabled - a non-default configuration that meaningfully limits the exposed population. No public exploit code and no CISA KEV listing have been identified at time of analysis; the CVSS 5.9 Medium rating reflects both the high confidentiality impact and the high attack complexity imposed by the conditional prerequisites.

WordPress SQLi
NVD
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-15288 HIGH This Week

Payment amount tampering in the SureForms WordPress plugin (versions ≤ 2.2.1) lets unauthenticated attackers submit arbitrary prices when completing Stripe checkout. Because the 'create_payment_intent' and 'create_subscription_intent' handlers trust the amount supplied in user-controlled POST data instead of the form's server-side configured price, an attacker can purchase products or subscriptions for a fraction of their real cost. Reported by Wordfence and fixed in 2.2.2; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-15287 MEDIUM This Month

Time-based blind SQL injection in the rtMedia for WordPress, BuddyPress and bbPress plugin (versions up to and including 4.6.18) allows authenticated attackers with subscriber-level access or higher to exfiltrate sensitive data from the WordPress database via the `order_by` parameter. The low authentication bar - any registered user qualifies - combined with a network-accessible attack vector and high confidentiality impact makes this a meaningful risk for community or membership sites with open user registration enabled. No public exploit code or CISA KEV listing has been identified at time of analysis, but the technique (time-based blind SQLi) is well-understood and requires no specialized tooling.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-15286 MEDIUM This Month

Unauthorized post publication in Kadence Blocks (Gutenberg Blocks with AI by Kadence WP) versions up to and including 3.5.32 allows authenticated WordPress contributors to immediately publish posts, pages, and custom post types - entirely bypassing the platform's standard contributor review workflow. The flaw stems from a misconfigured capability check in the `get_items_permission_check` permission callback on the `process_pattern` REST API endpoint (CWE-863: Incorrect Authorization). No active exploitation is confirmed via CISA KEV, no public POC has been identified, and the CVSS score of 4.3 reflects a limited integrity-only impact with no confidentiality or availability consequences.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-15285 MEDIUM This Month

Stored Cross-Site Scripting in The Plus Addons for Elementor WordPress plugin (versions through 6.4.11) allows authenticated contributors to inject persistent malicious scripts into pages via the Button widget's `custom_attributes` parameter. The root cause is a bypassable sanitization filter (`tp_senitize_js_input()`) in `modules/widgets/tp_button.php` that fails to properly neutralize HTML/JS content before rendering. When an administrator or other privileged user subsequently views an affected page, the stored payload executes in their browser context, enabling session hijacking or unauthorized administrative actions. No public exploit identified at time of analysis; patch is available in version 6.4.12.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-15284 MEDIUM This Month

Stored Cross-Site Scripting in King Addons for Elementor (WordPress plugin, versions ≤51.1.62) allows authenticated attackers with subscriber-level access to inject persistent JavaScript into the WordPress admin submissions panel. The flaw stems from a two-stage sanitization failure: `sanitize_text_field()` applied during form submission storage preserves double-quote characters in `form_page_id`, and the downstream `king_addons_submissions_custom_column_content()` function then concatenates that stored value into an HTML `href` attribute via `admin_url()` without wrapping the result in `esc_url()`. No public exploit or CISA KEV listing exists at time of analysis; EPSS data was not provided in the input.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-15283 MEDIUM This Month

Stored Cross-Site Scripting in the WPvivid Backup for MainWP WordPress plugin (all versions up to and including 0.9.33) allows authenticated administrators to inject persistent malicious scripts via plugin settings fields, which then execute in any user's browser upon visiting an affected page. Exploitation is constrained to WordPress multi-site environments or single-site installs where the unfiltered_html capability has been explicitly disabled, and requires an attacker to already hold administrator-level credentials. No public exploit code has been identified at time of analysis, and the CVSS 4.4 Medium score reflects both the high privilege bar and the specialized deployment conditions required.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-15282 CRITICAL Act Now

Unauthenticated arbitrary file upload in the Instant Appointment WordPress plugin (all versions ≤ 1.2) lets remote attackers upload files of any type through the 'insapp_upload_image_as_attachment' function, which lacks file-type validation, potentially enabling remote code execution by planting a PHP webshell. Any WordPress site running the plugin is exploitable without authentication or user interaction, matching its 9.8 CVSS rating. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

WordPress RCE File Upload
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-11818 MEDIUM This Month

Authorization bypass in the WPCafe WordPress plugin (all versions through 3.0.14) allows any authenticated subscriber-level user to fully manage email notification flow workflows that are intended to be administrator-only. The FlowAPI REST endpoints bundled within the plugin's email notification SDK rely solely on a wp_rest nonce for access control - a token freely obtainable from the frontend page source by any logged-in user - completely bypassing role-based authorization. No public exploit or active exploitation has been identified at time of analysis, though the low exploitation complexity makes this a realistic risk on sites with open user registration.

Authentication Bypass WordPress Wpcafe Restaurant Menu Online Food Ordering Table Booking System
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-11392 MEDIUM This Month

Reflected cross-site scripting in the WP Hotel Booking WordPress plugin (all versions up to and including 2.3.1) permits unauthenticated remote attackers to inject arbitrary JavaScript via the check_in_date and check_out_date URL parameters across multiple search result and Elementor widget templates. Successful exploitation requires tricking a victim into clicking a crafted link, after which the injected script executes in the victim's browser context - making logged-in administrators particularly high-value targets. No public exploit has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.

WordPress XSS Wp Hotel Booking
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-13430 HIGH This Week

Remote code execution in the Post Export Import with Media WordPress plugin (all versions ≤ 1.13.1) is possible because a trailing-dot filename bypass (e.g. 'shell.php.') defeats the extension allow-list in ajax_import_media_start(), letting an administrator-level user smuggle an executable PHP file into the uploads directory during a media import. Reported by Wordfence, the flaw carries CVSS 7.2 and has no public exploit identified at time of analysis; exploitation requires existing administrator (PR:H) access, making it primarily a hardening/defense-in-depth bypass rather than a mass-exploitable entry point.

WordPress PHP RCE File Upload Post Export Import With Media
NVD
CVSS 3.1
7.2
EPSS
0.6%
CVE-2026-15070 HIGH This Week

Remote code execution in the Salon Booking System - Free Version WordPress plugin (all versions ≤ 10.30.32) lets a remote attacker write attacker-controlled PHP into the plugin's web-accessible translate-constants.php file by abusing the unprotected setCustomText AJAX handler. Because the handler lacks proper nonce validation (CWE-352 CSRF), an unauthenticated attacker who tricks a logged-in administrator into clicking a crafted link can achieve full server-side code execution. Reported by Wordfence with a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not on CISA KEV.

WordPress CSRF RCE PHP Salon Booking System Free Version
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-14894 CRITICAL Act Now

Unauthenticated remote code execution in the Super Forms - Drag & Drop Form Builder WordPress plugin (all versions through 6.3.313) allows attackers to upload executable files via the nopriv submit_form AJAX handler, which lacks both file-type validation (CWE-434) and any capability check. The plugin's only guardrail is a session nonce, but the companion super_create_nonce nopriv action lets any visitor mint a valid sf_nonce and session cookie on demand, collapsing the attack to two unauthenticated HTTP requests. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivial exploitability make this a high-priority patch item.

WordPress RCE File Upload Super Forms Drag Drop Form Builder
NVD GitHub
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-5069 MEDIUM This Month

Incorrect authorization in the Fluent Forms WordPress plugin (versions up to and including 6.2.1) enables any authenticated subscriber-level user to cancel payment subscriptions belonging to other users by supplying an arbitrary 'subscription_id' in the payment cancellation AJAX endpoint. The payment cancellation flow performs no ownership check - only that the user is authenticated - making this a classic IDOR (Insecure Direct Object Reference) under CWE-863. No public exploit code has been identified at time of analysis, and the flaw is not listed in CISA KEV, but the low bar for exploitation (any registered site account) raises practical risk for sites using Fluent Forms payment/subscription features.

Authentication Bypass WordPress Fluent Forms Customizable Contact Forms Survey Quiz Conversational Form Builder
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-12598 HIGH This Week

Authentication bypass in the LoginPress Pro WordPress plugin (versions ≤ 6.2.3) lets unauthenticated attackers log in as any existing user - including Administrators - when the Spotify Social Login addon is enabled. The flaw stems from the plugin trusting the unverified email returned by Spotify's /v1/me endpoint to match and authenticate a WordPress account, so an attacker who registers a Spotify account with a victim's email gains that victim's session. No public exploit has been identified at time of analysis; CVSS is 8.1 with attack complexity rated High due to the required addon configuration.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-12597 HIGH This Week

Authentication bypass in the LoginPress Pro WordPress plugin (versions up to and including 6.2.3) lets unauthenticated attackers hijack any existing account, including administrators, by abusing the GitHub OAuth social-login callback. The loginpress_on_github_login() function binds the login session to profile[0]['email'] from GitHub's /user/emails endpoint without checking the verified flag, so an attacker who adds an unverified email matching a victim's account and triggers the callback can be logged in as that user. This maps to CWE-287 and carries a CVSS 8.1; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-12595 HIGH This Week

Authentication bypass in the LoginPress Pro WordPress plugin (versions ≤ 6.2.3) lets unauthenticated attackers hijack any existing account - administrators included - by exploiting the Discord OAuth login handler, which trusts the email returned by Discord without checking Discord's verified flag. An attacker who knows a target's WordPress email registers a Discord account with that same (unverified) email and completes the normal OAuth flow to receive an authenticated session as the victim. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw was reported by Wordfence and is a full account-takeover primitive.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-13492 HIGH This Week

Arbitrary file deletion in the UsersWP WordPress plugin (versions ≤ 1.2.65) lets authenticated Subscriber-level users delete any file on the server, including wp-config.php, which can escalate into full site takeover. The flaw stems from unsanitized directory-traversal sequences in file-field metadata reaching an unlink() call in the upload_file_remove() AJAX handler. Reported by Wordfence with no public exploit identified at time of analysis and no active-exploitation (KEV) listing; an upstream code fix is available.

WordPress Path Traversal
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-9253 HIGH This Week

Stored cross-site scripting in the WP Cost Estimation & Payment Forms Builder (E&P Forms) WordPress plugin (Loopus) affects all versions through 10.5.97 and lets unauthenticated attackers persist arbitrary JavaScript via the 'customerInfos' parameter that fires when any user later views the injected page. Reported by Wordfence with a CVSS 3.1 base score of 7.2 (scope-changed), this is a persistent, no-authentication injection primitive rather than a reflected one. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is not confirmed in the wild.

WordPress XSS Wp Cost Estimation Payment Forms Builder
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-12428 MEDIUM This Month

Unauthorized data disclosure in the Blocks for ACF Fields WordPress plugin (versions up to and including 1.6.2) allows any authenticated user holding the Author role or above to read ACF field values from arbitrary WordPress objects - including private posts, drafts, and posts owned by other users - via an insecure REST API endpoint. The flaw stems from the REST handler accepting a user-supplied post ID and passing it directly to get_field_objects() without verifying whether the requester holds read permission on that specific object, a classic object-level authorization failure (CWE-862). Reported by Wordfence; no CISA KEV listing and no standalone public exploit code identified at time of analysis, though exploitation is operationally trivial for any attacker with a valid Author-level WordPress account.

Authentication Bypass WordPress Blocks For Acf Fields Display Custom Fields In The Block Editor
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-9021 MEDIUM This Month

Unauthenticated remote manipulation of published business quotes is possible in the Easy Invoice WordPress plugin (versions up to and including 2.1.19) due to missing authorization on AJAX endpoints. The plugin registers quote acceptance and decline actions via wp_ajax_nopriv_ hooks - making them reachable without credentials - while the only gate is a per-quote nonce that is embedded directly in the publicly viewable single-quote template. The ownership restriction that would prevent non-owners from acting on quotes is controlled by an off-by-default Pro feature flag, meaning the overwhelming majority of free-tier deployments are fully exposed to arbitrary quote status manipulation, including automatic invoice generation and client email dispatch. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication Bypass WordPress Easy Invoice Invoice Generator Pdf Quotes Payments
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-9237 MEDIUM This Month

Authorization bypass in the Crew HRM WordPress plugin (all versions ≤ 1.2.2) allows any authenticated subscriber-level user to delete, archive, unarchive, and duplicate arbitrary job listings - including associated stages, metadata, addresses, and applications - by supplying an arbitrary integer job_id. The nonce that nominally gates these actions via Dispatcher::dispatch() is deliberately exposed to every authenticated frontend visitor through wp_head script localization, making the bypass trivially reproducible by any user with a WordPress account. No public exploit code or active exploitation has been identified at time of analysis, and no KEV listing exists; however, the nonce leak collapses the practical access barrier to subscriber level.

Authentication Bypass WordPress Employee Leave And Recruitment Management System Crew Hrm
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9235 MEDIUM This Month

Unauthorized shipping label manipulation in DHL eCommerce (Benelux) for WooCommerce versions up to 2.2.3 allows any authenticated WordPress user - down to Subscriber level - to create or delete DHL shipping labels for any WooCommerce order site-wide. The two vulnerable AJAX handlers lack both capability verification and nonce (CSRF token) checks, meaning the attacker-supplied order ID is acted upon without confirming the caller has order management rights. No public exploit is identified and this is not listed in CISA KEV, but the low authentication bar (any registered user) and operational impact on fulfillment make this a meaningful risk for Benelux e-commerce stores with open user registration.

Authentication Bypass WordPress Dhl Ecommerce Benelux For Woocommerce
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-14372 HIGH This Week

Arbitrary file deletion in the Bit Form WordPress plugin (all versions through 3.1.1) lets low-privileged authenticated users delete any file on the server via an unsanitized path passed to the deleteFiles function. Because a subscriber-level attacker can remove critical files such as wp-config.php, this path traversal escalates into a full site takeover / remote code execution scenario. Reported by Wordfence with a CVSS of 7.1; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Path Traversal RCE Bit Form Contact Form Payment Forms Multi Step Forms Calculator Custom Form Builder
NVD
CVSS 3.1
7.1
EPSS
0.7%
CVE-2026-4275 HIGH This Week

Cross-Site Request Forgery in the Divi Torque Lite WordPress plugin (versions ≤ 4.2.3) lets remote attackers install and activate arbitrary plugins by tricking a logged-in administrator into loading a malicious page. The plugin registers its /install_plugin and /activate_plugin REST routes with '__return_true' as the permission_callback, which suppresses WordPress's REST nonce check so a forged request rides the admin's session cookies past the internal capability check. No public exploit is identified at time of analysis, but installing an attacker-supplied plugin yields effective remote code execution on the site.

WordPress CSRF Divi Torque Lite Divi Modules For The Divi Builder Theme
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-4298 MEDIUM This Month

Missing authorization in the DSGVO All in One for WP plugin (versions up to and including 4.9) allows any authenticated WordPress user with Subscriber-level access or higher to invoke the dsgvo_reset_policy_service_func() function and wipe all customized privacy policy content - cookie notices, Google Analytics policies, Facebook policies, and YouTube policies - back to plugin defaults. The root cause is a complete absence of both WordPress capability checks and nonce verification on a sensitive administrative function that accepts and acts on user-supplied parameters. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the low authentication barrier makes this accessible to a wide pool of potential abusers on sites with open user registration.

Authentication Bypass WordPress Google Dsgvo All In One For Wp
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-9028 MEDIUM This Month

Unauthenticated order cancellation in CorvusPay WooCommerce Payment Gateway (all versions up to and including 2.7.4) allows any remote attacker to cancel any WooCommerce order paid via CorvusPay by supplying an arbitrary order number to the /wp-json/corvuspay/cancel/ REST API endpoint. The plugin registers this cancel endpoint without implementing a WordPress permission callback, meaning no authorization is verified before processing cancellation requests (CWE-862). No public exploit code and no active exploitation via CISA KEV have been identified at time of analysis, though the attack requires no credentials and minimal technical skill.

Authentication Bypass WordPress Corvuspay Woocommerce Payment Gateway
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-9027 MEDIUM This Month

Payment bypass in the CorvusPay WooCommerce Payment Gateway plugin (all versions up to and including 2.7.4) enables unauthenticated remote attackers to fraudulently mark any pending WooCommerce order as fully paid, obtaining goods or services without actual payment. The `corvuspay_success_handler` function registers a publicly accessible REST endpoint where a cryptographic signature validation is performed but its boolean result is silently discarded - written only to a debug log - causing `$order->payment_complete()` to execute unconditionally regardless of signature validity. WooCommerce order IDs are sequential integers, making every pending order on an affected store trivially enumerable with no prior knowledge required. No public exploit code or CISA KEV listing was identified at time of analysis.

WordPress Jwt Attack Authentication Bypass Corvuspay Woocommerce Payment Gateway
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-13441 HIGH This Week

Stored cross-site scripting in the EventPrime events plugin for WordPress (versions through 4.3.4.2, by Metagauss) lets low-privileged or, in one configuration, unauthenticated actors persist arbitrary JavaScript through the 'new_event_type_background_color' field of the event-type creation flow. The injected script runs in the browser of any user who later views the affected page, enabling session/context theft in the WordPress front end and admin context. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; the finding was reported by Wordfence.

WordPress XSS Eventprime Events Calendar Bookings And Tickets
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-9240 MEDIUM This Month

Unauthorized order modification in the Colissimo Officiel shipping plugin for WordPress (versions up to and including 2.9.0) allows any authenticated subscriber-level user to overwrite the shipping method, pickup-relay metadata, and shipping address of arbitrary WooCommerce orders - including orders belonging to other customers. The vulnerability stems from a completely unguarded AJAX handler: no capability check and no nonce verification are performed before acting on caller-supplied input. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog, though Wordfence has confirmed and disclosed it with specific source-line references.

Authentication Bypass WordPress Colissimo Shipping Methods For Woocommerce
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12433 MEDIUM This Month

{id} enforces only the tfhb_manage_options capability check but never validates that the requested booking ID is owned by the requesting host, exposing attendee PII (names, emails, phone numbers, addresses), payment method and status, transaction history, and internal notes. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a fix commit is present in the WordPress plugin SVN repository.

Authentication Bypass WordPress Hydra Booking Appointment Scheduling Booking Calendar
NVD VulDB
CVSS 3.1
4.3
EPSS
0.4%
CVE-2026-15158 CRITICAL Act Now

Arbitrary file upload leading to remote code execution affects the premium Blocksy Companion Pro plugin for WordPress in all versions through 2.1.46, where the Custom Fonts extension's flawed MIME validation lets unauthenticated attackers upload executable PHP files disguised as fonts. The Custom Fonts extension registers a wp_check_filetype_and_ext filter that uses strpos() to approve any filename merely containing '.woff2' or '.ttf' anywhere in the string, so a double-extension payload like shell.woff2.php passes as a legitimate font. Reported by Wordfence with a CVSS of 9.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress PHP RCE File Upload Blocksy Companion
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2026-14342 MEDIUM This Month

Time-based SQL injection in the Mail Mint WordPress plugin (versions ≤1.24.2) allows authenticated administrators to extract arbitrary data from the underlying database via the unsanitized 'contact_ids' parameter in the contact management API. Reported by Wordfence, the flaw is rooted in insufficient input escaping and missing prepared statements in the ContactModel and ContactController layers. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, a corrective changeset (3597255) has been committed to the WordPress plugin repository.

WordPress SQLi Mail Mint Email Marketing Newsletter Email Automation Woocommerce Emails
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-8848 HIGH This Week

Remote code execution in the Popup Maker WordPress plugin (all versions through 1.22.0) allows authenticated attackers holding editor-level access or above to install and activate an arbitrary plugin from an attacker-controlled URL, resulting in full server-side code execution. The root cause is a missing authorization check (CWE-862) in the plugin's REST API Connect controller, whose install endpoint treats a bearer token - issued by the legacy v1/connect/info endpoint - as its only non-spoofable authorization gate. Reported by Wordfence; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass WordPress RCE Popup Maker Boost Sales Conversions Optins Subscribers With The Ultimate Wp Popup Builder
NVD VulDB
CVSS 3.1
7.2
EPSS
0.7%
CVE-2026-14245 CRITICAL Act Now

Authentication bypass in the miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress (versions up to and including 5.5.1) lets unauthenticated attackers take over any Administrator account. Because um_reset_password_process_hook() never verifies server-side that the OTP step was completed and trusts a form_nonce that the plugin itself hands to anonymous visitors via the moumprvar JavaScript object, an attacker can supply an arbitrary username_b value to receive a fresh password-reset URL for any user in the 302 Location header. No public exploit identified at time of analysis, but the flaw is trivially scriptable and carries a critical 9.8 CVSS score.

Authentication Bypass WordPress Miniorange Otp Login Verification And Sms Notifications
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-12418 MEDIUM This Month

Unauthenticated content tampering in the WP User Frontend WordPress plugin (all versions through 4.3.7) allows any visitor to overwrite the title, body, and excerpt of any post on the site, including posts authored by administrators. The flaw stems from the wpuf_submit_post AJAX action accepting a user-controlled post reference key in the wpuf_files_data parameter without validating whether the requesting user is authorized to edit the target post - a textbook CWE-639 authorization-through-user-controlled-key failure. No public exploit code or active exploitation has been identified at time of analysis, but the attack requires no authentication and no special configuration beyond the plugin being installed with at least one public-facing submission form.

Authentication Bypass WordPress User Frontend
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-11359 MEDIUM This Month

Unauthorized plugin installation affects the Memberships and User Profiles for WooCommerce - ProfileGrid WooCommerce Integration plugin (versions up to and including 3.4), allowing any authenticated WordPress user at Subscriber level or above to force-install and activate the ProfileGrid plugin without administrative approval. The flaw stems from a dual failure - absent capability check and absent nonce validation - on the `pg_install_profilegrid()` AJAX handler, registered via the `wp_ajax_pg_install_profilegrid` hook. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis; however, the low barrier to exploitation (any authenticated user) makes this a meaningful integrity risk on multi-tenant or open-registration WooCommerce stores.

Authentication Bypass WordPress Memberships And User Profiles For Woocommerce Profilegrid Woocommerce Integration
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13450 MEDIUM This Month

Unauthenticated information disclosure in the GamiPress WordPress plugin (all versions through 7.9.4) allows any site visitor to read private activity log entries belonging to arbitrary users, including badge earnings, points balance changes, WooCommerce purchase events, LearnDash course completions, and BuddyPress activity records. The IDOR flaw in the 'access' parameter is rendered trivially exploitable because the sole authentication gate - a gamipress nonce - is deliberately broadcast to every front-end visitor via wp_localize_script, meaning no credential or privilege is required beyond loading any page on the target site. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the near-zero exploitation complexity makes it a practical mass-exploitation candidate against any unpatched deployment.

Authentication Bypass WordPress Gamipress Gamification Plugin To Reward Points Achievements Badges Ranks In Wordpress
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2026-13011 MEDIUM This Month

SQL Injection in WP ERP (wedevs) versions through 1.17.5 allows authenticated HR Manager-level users to exfiltrate arbitrary data from the WordPress database via the unsanitized `orderby` parameter in the leave management module. The flaw resides in `functions-leave.php` and `LeaveRequestsListTable.php`, where user-supplied sort parameters are interpolated directly into SQL queries without escaping or prepared statements. No public exploit code is confirmed and this CVE is not listed in the CISA KEV catalog, but the confidentiality impact is high given the plugin stores HR records, payroll data, and CRM contacts.

WordPress SQLi Erp
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13334 MEDIUM This Month

Reflected Cross-Site Scripting in the Mang Board WP WordPress plugin (all versions through 2.3.4) allows unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'stag' parameter, which executes in the browser of any user who clicks a crafted link. Wordfence's source-level analysis identifies the flaw spanning multiple plugin files including _header.php, func.board.php, and class.store.php. No active exploitation has been identified (not in CISA KEV) and no EPSS score was provided, but the PR:N/UI:R profile makes this a viable phishing-assisted attack against WordPress site administrators and editors.

WordPress XSS Mang Board Wp
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-12406 MEDIUM This Month

Authorization bypass in the WP User Frontend (WPUF) WordPress plugin through version 4.3.7 allows unauthenticated visitors to delete guest-uploaded media attachments via the wpuf_file_del AJAX action. The plugin's sole access control gate - a WordPress nonce - is self-defeated: when any WPUF shortcode is rendered on a public front-end page, the nonce value is localized into publicly readable JavaScript objects (wpuf_upload and wpuf_frontend), making it trivially extractable by any browser visitor. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified, but the zero-authentication, low-complexity attack path makes this trivially reproducible from plugin source code alone.

Authentication Bypass WordPress User Frontend
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-6910 MEDIUM This Month

Stored Cross-Site Scripting in the Bookero.pl WordPress booking plugin (versions up to and including 2.2) allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the `bookero_products` shortcode. The `bookero_products()` function in `libraries/bookero-front.php` (lines 173-174) concatenates the raw `hide_products` and `filter_products` attribute values directly into an inline `<script>` block with no sanitization or output escaping, meaning any page rendered with the poisoned shortcode will execute the attacker-supplied script in every visitor's browser. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

WordPress XSS Bookero Pl System Rezerwacji Online
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-8996 MEDIUM This Month

Sensitive information exposure in the Backup and Staging by WP Time Capsule WordPress plugin (all versions through 1.22.26) allows authenticated attackers with subscriber-level access to download a previously admin-decrypted SQL database backup via the unprotected `download_recent_decrypted_file_wptc` endpoint. The downloaded backup typically contains WordPress password hashes, user credentials, and site configuration data stored in the `recent_decrypted_file` plugin option. No public exploit code exists at time of analysis, but the vulnerability is conditionally exploitable wherever subscriber-level user registration is enabled and an administrator has recently used the plugin's decrypt function.

Authentication Bypass WordPress Information Disclosure Backup And Staging By Wp Time Capsule
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13771 MEDIUM This Month

Stored Cross-Site Scripting in the Customer Reviews for WooCommerce WordPress plugin (all versions ≤ 5.113.0) allows contributor-level authenticated users to inject arbitrary JavaScript via the 'color' attribute of the trust badge shortcode, which then executes in the browsers of every subsequent visitor to the compromised page. The trust badge rendering code in class-cr-trust-badge.php and badge-small.php fails to sanitize or escape shortcode attribute input before writing it to HTML output. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; a patch commit is referenced in the WordPress SVN repository.

WordPress XSS Customer Reviews For Woocommerce
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-13080 MEDIUM This Month

Local File Inclusion in the WPFunnels WordPress plugin (all versions through 3.12.7) allows authenticated administrators to include and execute arbitrary PHP files on the server via the unsanitized `logKey` parameter, yielding full remote code execution when combined with file upload capability. The attack requires administrator-level WordPress credentials and high complexity - specifically the ability to place a PHP file on the server - materially limiting the exploitable population. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a routine-patching priority tier despite its severe potential impact.

WordPress LFI RCE PHP Information Disclosure +1
NVD
CVSS 3.1
6.6
EPSS
0.7%
CVE-2026-7558 MEDIUM This Month

Unauthenticated export of sensitive WooCommerce donation records is possible in the Token of Trust WordPress plugin through version 4.0.2 due to a missing capability check on a publicly accessible export function. Any unauthenticated visitor can retrieve a CSV file containing charitable donor order dates, order IDs, donation amounts, and admin-only order edit URLs by appending a single GET parameter to any page on the affected site. No public exploit code has been identified and this vulnerability is not listed in CISA KEV, but the trivial exploitation mechanism - requiring only a browser and a known URL parameter - means low-skill attackers can exploit it at scale.

Authentication Bypass WordPress Age Verification Identity Verification By Token Of Trust
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-15000 HIGH This Week

Stored cross-site scripting in the Connect Contact Form 7 and Mailchimp WordPress plugin (all versions through 0.9.78.06) lets unauthenticated visitors plant JavaScript through Mailchimp merge-field values submitted via a Contact Form 7 form. The payload lies dormant until an Administrator runs a Contact Lookup on the submitted email address, at which point the script executes in the privileged admin session. Reported by Wordfence with a CVSS of 7.2; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress XSS Connect Contact Form 7 And Mailchimp
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-14343 MEDIUM This Month

Stored Cross-Site Scripting in the WordPress Download Manager plugin (all versions through 3.3.61) allows authenticated contributors to inject persistent JavaScript payloads via the 'note_before' and 'note_after' shortcode attributes. The root cause is an unescaped output sink in the shortcode renderer: although wp_kses_post filters post content on save for users lacking the unfiltered_html capability, kses-allowed tag and attribute combinations that survive filtering are passed directly to the unsafe sink and execute in victims' browsers when the injected page is rendered. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress XSS Download Manager
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12170 MEDIUM This Month

Stored Cross-Site Scripting in the AcyMailing WordPress newsletter plugin (all versions up to and including 10.10.2) permits authenticated contributors to inject persistent arbitrary scripts via the unsanitized 'alignment' attribute across both the classic form builder and Gutenberg block editor code paths. Any user - including unauthenticated site visitors - who subsequently loads a page containing the injected element triggers script execution in their browser, enabling session hijacking, credential theft, or malicious redirects. No public exploit identified at time of analysis and no CISA KEV listing, though the CVSS scope change (S:C) correctly reflects the cross-user, cross-session impact characteristic of stored XSS.

WordPress XSS Acymailing An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-13253 MEDIUM This Month

Stored Cross-Site Scripting in the Ultimate Post (PostX) WordPress plugin versions up to and including 5.0.31 allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the 'moreResultsText' attribute of the advanced-search Gutenberg block. The root cause is a sanitization gap: the render callback applies wp_kses() which strips disallowed HTML tags but does not encode special characters like double quotes in attribute context, and the unsanitized value is then concatenated directly into the data-viewmoretext HTML attribute without esc_attr(), allowing attribute boundary escape. No public exploit code has been identified at time of analysis, and no EPSS data was provided, but the contributor-level access requirement represents the primary real-world friction point for exploitation.

WordPress XSS Post Grid Gutenberg Blocks Postx
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-4653 MEDIUM This Month

Stored XSS in the Block, Suspend, Report for BuddyPress WordPress plugin (bp-toolkit) through version 3.6.4 allows low-privileged authenticated attackers to inject persistent malicious scripts via the 'link' parameter in report submissions. Authenticated users with subscriber-level access can plant JavaScript payloads that execute in any visitor's browser upon accessing the affected report pages, with Changed Scope (S:C) indicating execution in the victim's security context rather than the application's. No public exploit code has been identified at time of analysis and the vulnerability has not been added to CISA KEV, but on BuddyPress community sites with open registration the subscriber-level prerequisite is trivially satisfied.

WordPress XSS Block Suspend Report For Buddypress
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12517 MEDIUM POC PATCH This Month

The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated site-info endpoint before fetching it, allowing anonymous users (the gating nonce is exposed on public pages carrying an embed) to make the site request internal and private-network URLs and read back the parsed page metadata. This is a Server-Side Request Forgery.

WordPress SSRF Fediverse Embeds
NVD WPScan
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-12516 MEDIUM POC PATCH This Month

The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated media-proxying endpoint, allowing anonymous users to make the site fetch arbitrary URLs, including internal and private-network addresses, and read back the response body. This results in a full-read Server-Side Request Forgery and open proxy.

WordPress SSRF Fediverse Embeds
NVD WPScan
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-12270 MEDIUM POC PATCH This Month

Unauthenticated remote attackers can completely bypass access controls on Everest Forms REST API endpoints in all plugin versions before 3.5.0, enabling them to read onboarding status data, modify plugin settings, and send emails from the WordPress site to arbitrary addresses. The flaw arises because the capability check is conditioned on an attacker-controllable HTTP request header - omitting or altering that header disables the authorization gate entirely. A publicly available proof-of-concept exploit exists, and SSVC assessment confirms the attack is automatable; however, this vulnerability is not in CISA KEV, and EPSS sits at 0.14%, suggesting limited observed exploitation despite the low barrier to entry.

WordPress Authentication Bypass Everest Forms
NVD WPScan
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-11875 MEDIUM POC This Month

Cookie forgery in WP Support Plus Responsive Ticket System (WordPress plugin ≤9.1.2) allows unauthenticated network attackers to impersonate any guest ticket owner by crafting an unsigned guest-session cookie containing the victim's email address, then reading, replying to, and closing that user's support tickets. The plugin fails to sign or verify its guest-session cookie, making the trust boundary between guest sessions trivially bypassable. A publicly available proof-of-concept exists per WPScan; EPSS is low at 0.14% (3rd percentile), suggesting limited observed exploitation despite automation feasibility confirmed by SSVC.

WordPress Information Disclosure Wp Support Plus Responsive Ticket System
NVD WPScan
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-11869 MEDIUM POC PATCH This Month

Unauthenticated personal data exfiltration in WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 allows any remote attacker to download the full GDPR personal data export of any user, customer, or commenter by supplying only their email address. The plugin's data subject access request (DSAR) immediate-processing path omits an authorization check, converting a legally mandated privacy feature into a privacy breach vector. A publicly available POC exploit exists, SSVC confirms the attack is automatable, and a vendor patch has been released at version 3.1.40.

WordPress Information Disclosure Wp Dsgvo Tools Gdpr
NVD WPScan
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-11571 HIGH POC PATCH This Week

Information disclosure in the Everest Forms WordPress plugin before 3.5.0 allows unauthenticated remote attackers to download other users' form submissions. The plugin generates temporary CSV files during email-notification processing but fails to reliably delete them, leaving them publicly accessible in the wp-content uploads directory under predictable, enumerable filenames. Publicly available exploit code exists and the flaw is automatable per CISA SSVC, though EPSS remains low at 0.14%; not listed in CISA KEV.

WordPress Information Disclosure Everest Forms
NVD WPScan
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-5523 HIGH This Week

Privilege escalation to full account takeover in the Divi Form Builder WordPress plugin (versions up to and including 5.1.8) lets any authenticated user with subscriber-level access or higher change the email address and password of arbitrary accounts, including administrators. The flaw is an insecure direct object reference where a user ID supplied in a form submission is trusted without an authorization check. Reported by Wordfence and rated CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress Divi Form Builder
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-58480 CRITICAL PATCH Act Now

Remote code execution in the Blocksy Companion Pro WordPress plugin (all versions before 2.1.47) lets unauthenticated attackers upload executable PHP files through the Advanced Reviews feature, taking over the site. The save_attachments function relies on a flawed strpos() substring check inherited from the Custom Fonts extension, so a double-extension filename like shell.woff2.php passes validation while the server executes it as PHP. No public exploit has been identified at time of analysis, but a vendor patch (2.1.47) is available and the flaw was reported by VulnCheck.

WordPress PHP RCE File Upload Blocksy Companion
NVD
CVSS 4.0
9.2
EPSS
0.6%
CVE-2026-6740 MEDIUM This Month

Stored cross-site scripting in the Nexter Blocks - Gutenberg Blocks, Page Builder & AI Website Builder WordPress plugin (versions through 4.7.4) enables authenticated contributors to persistently inject malicious JavaScript via the unsanitized 'commentIcon' parameter, executing in any visitor's browser on affected pages. The CVSS Scope:Changed metric reflects that attacker-controlled code crosses trust boundaries into the victim's browser session, enabling session hijacking, credential theft, or unauthorized actions on behalf of privileged users such as site administrators. No public exploit code or CISA KEV listing was identified at time of analysis.

WordPress XSS Nexter Blocks Gutenberg Blocks Page Builder Ai Website Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-6820 HIGH This Week

Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.8) lets unauthenticated remote attackers persist arbitrary JavaScript via the 'email' parameter, which then executes in the browser of any user - including hotel staff and admins - who later views the affected page. Because the injection point is reachable without authentication and the payload is stored server-side, it enables session hijacking, admin action forgery, and content defacement against booking-management back offices. This issue is not in CISA KEV and no public exploit has been identified at time of analysis.

WordPress XSS Vikbooking Hotel Booking Engine Pms
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-12002 MEDIUM This Month

Cross-Site Request Forgery in Smash Balloon Social Photo Feed - Easy Social Feeds Plugin for WordPress (all versions through 6.11.1) enables unauthenticated remote attackers to overwrite the site's Instagram and Facebook oEmbed access tokens by forging a request that a logged-in administrator unwittingly executes. The root cause is missing or incorrect nonce validation on the `maybe_connection_data` function, WordPress's primary CSRF defense mechanism. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, a patch changeset is confirmed in the WordPress plugin repository.

WordPress CSRF Smash Balloon Social Photo Feed Easy Social Feeds Plugin
NVD
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-5459 MEDIUM This Month

Insecure Direct Object Reference in weDevs WP User Frontend plugin (all versions ≤4.3.1) allows unauthenticated network attackers to activate a free subscription tier on behalf of any registered WordPress user by supplying an arbitrary user_id to the payment_page() function, silently overwriting existing paid subscriptions and revoking premium access. The root cause is a missing authorization check on a user-controlled key (CWE-639), and because WordPress user IDs are sequential integers trivially enumerable via the REST API, this is exploitable at scale with no authentication or user interaction. No public exploit has been identified at time of analysis, but the zero-privilege, low-complexity attack path makes this straightforward to weaponize against any site monetizing through this plugin's membership features.

Authentication Bypass WordPress User Frontend
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-6459 MEDIUM This Month

Stored Cross-Site Scripting in Essential Addons for Elementor (versions up to and including 6.6.2) allows authenticated WordPress users with Author-level access or higher to inject persistent malicious JavaScript via event titles rendered through the Event Calendar widget. The injected payload executes in the browsers of any user who visits the affected page, with scope change confirmed by the CVSS:3.1 S:C designation. No public exploit code or CISA KEV listing has been identified at time of analysis, but the authentication barrier is low on sites that permit contributor or author registration.

WordPress XSS Essential Addons For Elementor Popular Elementor Templates Widgets
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-5356 HIGH This Week

Payment amount manipulation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.4.0) lets unauthenticated attackers finalize bookings while paying an arbitrary amount. The Stripe Connect payment processor trusts a client-supplied PaymentIntent ID, so an attacker can replay a previously succeeded PaymentIntent token to satisfy the payment check. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-3688 HIGH This Week

Privilege escalation via Insecure Direct Object Reference in the WCFM Membership (WooCommerce Memberships for Multivendor Marketplace) WordPress plugin versions up to and including 2.11.10 lets authenticated users holding at least vendor-level access manipulate the 'wcfmvm_membership_change' AJAX action to reassign any user's account to the 'wcfm_vendor' role by altering their membership plan. Because the action never checks whether the caller is authorized to modify the targeted user, a low-privileged marketplace vendor can tamper with arbitrary accounts. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS of 8.1 and network-reachable authenticated vector make it a meaningful multivendor-store risk.

Authentication Bypass WordPress Wcfm Membership Woocommerce Memberships For Multivendor Marketplace
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-6742 MEDIUM This Month

Stored Cross-Site Scripting in the Advanced iFrame WordPress plugin (versions through 2026.1) allows authenticated contributors to permanently inject malicious scripts into WordPress pages via the unsanitized 'additional' parameter. Any site visitor loading an affected page will execute the attacker's payload in their browser, enabling session hijacking, credential theft, or defacement. No public exploit has been identified at time of analysis, and a fix has been committed to the WordPress plugin repository per Wordfence reporting.

WordPress XSS Advanced Iframe
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2025-14785 MEDIUM This Month

Stored Cross-Site Scripting in the SeedProd Website Builder WordPress plugin (all versions through 6.20.2) allows authenticated contributors to inject persistent malicious JavaScript via unsanitized attributes of the `seedprodnestedmenuwidget` shortcode. Any user-including administrators-who subsequently visits an affected page will execute the attacker's script in their browser, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing is identified at time of analysis, but the contributor-level access bar lowers the threshold for abuse on multi-author WordPress sites.

WordPress XSS Website Builder By Seedprod Theme Builder Landing Page Builder Coming Soon Page Maintenance Mode
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-6854 HIGH This Week

Unauthenticated blind SQL injection in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.8) lets remote attackers inject SQL through the 'mc_auth' parameter, enabling extraction of sensitive database contents such as user credentials and secret keys. The flaw stems from unescaped user input concatenated into an unprepared query, and being reachable without authentication makes it broadly exploitable on any site running a vulnerable version. No public exploit identified at time of analysis, but the technique (time-based blind extraction) is well understood and readily automatable.

WordPress SQLi My Calendar Accessible Event Manager
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-14250 MEDIUM This Month

Privilege escalation in the Themehunk Login Registration WordPress plugin (versions up to and including 1.0.2) allows unauthenticated attackers to self-register accounts with elevated roles - including editor - by supplying an arbitrary 'role' parameter to the publicly exposed /thlogin/v1/register REST endpoint. The handle_frontend_register() function validates the supplied role only against get_editable_roles(), which returns every administratively configurable role on the site, then passes it directly to wp_insert_user() without restricting it to the subscriber level expected for public self-registration. Exploitation is conditioned on public user registration being enabled on the target site; no public exploit code or CISA KEV listing has been identified at time of analysis.

Privilege Escalation WordPress Th Login Registration
NVD
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-12936 MEDIUM This Month

SQL Injection in the Recurio - Ultimate Subscription for WooCommerce WordPress plugin (versions up to and including 1.1.3) exposes the full WordPress database to authenticated shop managers via an unsanitized 'data' parameter in the subscription engine. Attackers with shop manager-level credentials or higher can append arbitrary SQL clauses to existing queries, enabling extraction of sensitive records including customer PII, order history, and WordPress user data. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the high privilege requirement substantially limits the real-world attack surface.

WordPress SQLi Recurio Ultimate Subscription For Woocommerce
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-6230 HIGH This Week

SQL injection in the Tainacan WordPress plugin (versions ≤ 1.0.3) lets unauthenticated attackers exfiltrate database contents through the 'geoquery' parameter, which is concatenated into a SQL query without proper escaping or prepared-statement binding. Because the injection is time-based blind, attackers infer data character-by-character from response delays rather than direct output. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the network-reachable, no-authentication vector makes it a realistic target for automated scanning once details spread.

WordPress SQLi Tainacan
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-6818 HIGH This Week

Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.8) lets unauthenticated attackers persist arbitrary JavaScript via the 'special_requests' booking field, which then executes when a hotel operator or user views the injected order in the admin back-end. Reported by Wordfence with a CVSS 7.2 (scope-changed) rating; no public exploit identified at time of analysis and it is not listed in CISA KEV. The fix landed in version 1.8.9, whose patched source is referenced in the advisory.

WordPress XSS Vikbooking Hotel Booking Engine Pms
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-12378 HIGH POC This Week

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this can be leveraged to achieve remote code execution.

WordPress Deserialization RCE PHP Appointment Booking Calendar Plugin And Scheduling Plugin
NVD WPScan
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-10570 MEDIUM This Month

Stored cross-site scripting in the Sympl Repeater for ACF and Elementor WordPress plugin (all versions up to and including 2.3) allows authenticated attackers with Author-level access to inject persistent malicious scripts into pages via unsanitized ACF repeater field values. The root cause is the symp_arfe_replace_content() function using PHP str_replace() to insert raw get_field() output directly into Elementor-rendered HTML without any output encoding, causing the stored payload to execute in any subsequent visitor's browser. No public exploit code or CISA KEV listing has been identified at time of analysis, but the scope-changed CVSS vector (6.4 Medium) reflects real cross-user impact on WordPress sites where multiple Authors are active.

WordPress XSS Sympl Repeater For Acf And Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-14500 MEDIUM This Month

Unauthenticated arbitrary file read in Bulk Order Update for WooCommerce (versions up to and including 1.6) exposes the first line of any server-side file to remote attackers without credentials. The plugin's AJAX handler bouw_fetch_csv_data() is registered on the wp_ajax_nopriv_ hook - meaning WordPress serves it to unauthenticated users - and passes attacker-controlled filesystem paths directly to fopen()/fgetcsv(), reflecting parsed output in the JSON response. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the attack requires no authentication and no interaction, making it straightforward to exploit against any site with the plugin active.

WordPress Oracle Path Traversal Bulk Order Update For Woocommerce
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-14489 HIGH This Week

Arbitrary file upload in the WHMCS Bridge plugin for WordPress (all versions through 6.9) lets authenticated users with Custom-level access or above upload files of any type via the unvalidated connect() function, potentially achieving remote code execution on the host. Reported by Wordfence and tracked as CWE-434, the flaw carries a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The impact hinges on the plugin's failure to enforce file-type checks before writing uploaded content to disk.

WordPress RCE File Upload Whmcs Bridge
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-9731 MEDIUM This Month

Cross-Site Request Forgery in the Wp Js Detect WordPress plugin (all versions ≤ 1.0.9) permits unauthenticated attackers to overwrite the plugin's frontend notification text and CSS settings by exploiting absent nonce validation in the plugin_settings function. Because the stored values are echoed unescaped to the WordPress frontend, a successful forged request can inject arbitrary HTML or script content visible to site visitors who have JavaScript disabled. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; EPSS data was not supplied.

WordPress CSRF Wp Js Detect
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-12153 CRITICAL Act Now

Authorization bypass in the WP Learn Manager WordPress plugin (all versions through 1.1.8) lets unauthenticated attackers install and activate arbitrary plugins from the WordPress.org repository on a vulnerable site. The flaw stems from AJAX handlers that fail to verify a caller's authorization, and Wordfence rates it CVSS 9.8. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, low-complexity nature makes it a high-priority patch target.

Authentication Bypass WordPress Wp Learn Manager
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-12041 MEDIUM This Month

Stored cross-site scripting in the Chatra Live Chat + ChatBot + Cart Saver WordPress plugin (all versions ≤ 1.0.12) enables authenticated attackers holding administrator-level credentials to persist arbitrary JavaScript payloads through admin settings fields that lack input sanitization and output escaping. Injected scripts execute silently in the browsers of any user who visits an affected page, enabling session hijacking, credential harvesting, or malicious redirection. Exploitation is gated behind two environmental preconditions - WordPress multisite mode or explicitly disabled unfiltered_html - and no public exploit code or active exploitation has been identified at time of analysis.

WordPress XSS Chatra Live Chat Chatbot Cart Saver
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-9700 HIGH This Week

SQL injection in the Eventer WordPress event manager plugin (all versions through 4.4.2) lets unauthenticated attackers inject arbitrary SQL through the 'code' parameter, extracting database contents such as user credentials and session data. The flaw stems from unescaped user input concatenated into an existing query, exploitable remotely without authentication (PR:N). No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 7.5 reflects confidentiality-only impact via time-based blind extraction.

WordPress SQLi Eventer
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-12097 MEDIUM This Month

Authorization bypass in the User Management WordPress plugin (versions ≤ 1.2) permits unauthenticated network attackers to overwrite the plugin's export field configuration stored in the uiewp_export_field WordPress option, determining which user fields - including password hashes - are bundled into CSV exports and how columns are interpreted during user imports. Reported by Wordfence, the flaw stems from CWE-862 (Missing Authorization), meaning the plugin performs no privilege check before accepting these writes. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the ability to preconfigure exports to surface password hashes represents a meaningful secondary confidentiality risk beyond the raw CVSS 5.3 Medium score.

Authentication Bypass WordPress User Management
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-11798 MEDIUM This Month

Reflected Cross-Site Scripting in the Super Socializer WordPress plugin (versions up to and including 7.14.5) enables unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'heateor_mastodon_share' parameter, discovered and reported by Wordfence with source-level confirmation at helper.php lines 1243-1246. Successful exploitation requires social engineering a victim into clicking a crafted URL, after which the payload executes within the victim's browser session in the context of the target WordPress site. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 6.1 (Medium) rating reflects the mandatory user-interaction requirement that constrains opportunistic mass exploitation.

WordPress XSS Social Share Social Login And Social Comments Plugin Super Socializer
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-14495 HIGH This Week

Authentication bypass in the DoLogin Security plugin for WordPress (all versions through 4.3) lets remote attackers forge passwordless magic-link tokens and log in as any user, including administrators. The 32-character token is generated by seeding the Mersenne Twister PRNG (mt_srand) with a value derived from microtime() that carries only ~20 bits of entropy, so the entire token is a deterministic function of a ~10^6-value seed space that can be brute-forced offline. No public exploit identified at time of analysis, but the flaw was reported by Wordfence and the vulnerable code paths are cited directly in the WordPress plugin repository.

WordPress Authentication Bypass Dologin Security
NVD
CVSS 3.1
8.8
EPSS
0.4%
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the Brevo (formerly Sendinblue) Newsletter, SMTP, Email marketing and Subscribe forms WordPress plugin allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in victims' browsers through a crafted URL containing a malicious payload in the `page` parameter. All plugin versions up to and including 3.1.77 are affected, with the root flaw traced to insufficient input sanitization and output escaping in `inc/table-forms.php` at line 102. No active exploitation has been confirmed in CISA KEV, and no POC code is identified in the provided data, though the CVSS scope-change rating (S:C) elevates the effective impact beyond the plugin's own context.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the affiliate-toolkit WP Affiliate Plugin with Amazon (versions through 3.7.0) allows authenticated contributors to inject persistent malicious scripts via the 'atkp_product' shortcode due to unsanitized user-supplied attributes. This represents a bypass of the previously patched CVE-2024-10227, indicating the prior fix was incomplete. Any WordPress user - including administrators - who loads a page containing the injected shortcode will execute the attacker's script in their browser, enabling session theft, credential harvesting, or unauthorized admin actions. No public exploit or CISA KEV listing is identified at time of analysis.

WordPress XSS
NVD
EPSS 0% CVSS 8.0
HIGH This Week

Privilege escalation in the WP Business Intelligence Lite WordPress plugin (all versions through 3.2.0) allows authenticated Subscriber-level users to tamper with stored SQL queries because the plugin fails to enforce a capability/authorization check on the query-modification action (CWE-862). When an administrator later views the maliciously altered query, the attacker's arbitrary SQL executes in the admin context, enabling account takeover or full site compromise. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; it was reported through the Wordfence threat intelligence program.

Authentication Bypass WordPress Privilege Escalation
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Sudoku Shortcode WordPress plugin (all versions through 1.0.0) allows authenticated Contributors to inject persistent malicious scripts via the unsanitized 'background' parameter of the 'sudoku-sc' shortcode. Once injected into a page or post, the payload executes in the browser of every subsequent visitor, including administrators, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, though Wordfence has catalogued the vulnerability in their threat intelligence database.

WordPress XSS
NVD
EPSS 0% CVSS 7.5
HIGH This Week

{id} REST endpoints, which ship with no authentication or authorization checks. Any anonymous visitor can harvest customer PII - names, emails, phone numbers, WhatsApp message contents, full geolocation (IP, city, country, ISP, coordinates), device fingerprints, and even WordPress account details (user IDs, usernames, emails) for logged-in users who submitted the form. There is no public exploit identified at time of analysis and it is not on CISA KEV, but exploitation is trivial and requires only an HTTP client.

Authentication Bypass WordPress Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Blind SQL injection in the Ultimate Member WordPress plugin (all versions through 2.10.1) lets unauthenticated attackers inject arbitrary SQL through the member-directory search parameter, enabling extraction of sensitive database contents such as password hashes and user records. The flaw is a residual gap from the earlier CVE-2025-0308 fix, which was only partially remediated in 2.9.2. No public exploit has been identified at time of analysis, but the plugin's large install base and unauthenticated network reachability make it an attractive target.

WordPress SQLi
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Time-based SQL Injection in the Booking Calendar, Appointment Booking System WordPress plugin (versions ≤ 3.2.17) permits unauthenticated remote attackers to extract sensitive database contents via the 'wpdevart_id' parameter. The flaw exists in main_class.php due to insufficient parameter escaping and unprepared SQL queries, but is only triggerable when the Pro version is installed with the 'Delete previous dates' option enabled - a non-default configuration that meaningfully limits the exposed population. No public exploit code and no CISA KEV listing have been identified at time of analysis; the CVSS 5.9 Medium rating reflects both the high confidentiality impact and the high attack complexity imposed by the conditional prerequisites.

WordPress SQLi
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Payment amount tampering in the SureForms WordPress plugin (versions ≤ 2.2.1) lets unauthenticated attackers submit arbitrary prices when completing Stripe checkout. Because the 'create_payment_intent' and 'create_subscription_intent' handlers trust the amount supplied in user-controlled POST data instead of the form's server-side configured price, an attacker can purchase products or subscriptions for a fraction of their real cost. Reported by Wordfence and fixed in 2.2.2; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Information Disclosure
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Time-based blind SQL injection in the rtMedia for WordPress, BuddyPress and bbPress plugin (versions up to and including 4.6.18) allows authenticated attackers with subscriber-level access or higher to exfiltrate sensitive data from the WordPress database via the `order_by` parameter. The low authentication bar - any registered user qualifies - combined with a network-accessible attack vector and high confidentiality impact makes this a meaningful risk for community or membership sites with open user registration enabled. No public exploit code or CISA KEV listing has been identified at time of analysis, but the technique (time-based blind SQLi) is well-understood and requires no specialized tooling.

WordPress SQLi
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized post publication in Kadence Blocks (Gutenberg Blocks with AI by Kadence WP) versions up to and including 3.5.32 allows authenticated WordPress contributors to immediately publish posts, pages, and custom post types - entirely bypassing the platform's standard contributor review workflow. The flaw stems from a misconfigured capability check in the `get_items_permission_check` permission callback on the `process_pattern` REST API endpoint (CWE-863: Incorrect Authorization). No active exploitation is confirmed via CISA KEV, no public POC has been identified, and the CVSS score of 4.3 reflects a limited integrity-only impact with no confidentiality or availability consequences.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in The Plus Addons for Elementor WordPress plugin (versions through 6.4.11) allows authenticated contributors to inject persistent malicious scripts into pages via the Button widget's `custom_attributes` parameter. The root cause is a bypassable sanitization filter (`tp_senitize_js_input()`) in `modules/widgets/tp_button.php` that fails to properly neutralize HTML/JS content before rendering. When an administrator or other privileged user subsequently views an affected page, the stored payload executes in their browser context, enabling session hijacking or unauthorized administrative actions. No public exploit identified at time of analysis; patch is available in version 6.4.12.

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in King Addons for Elementor (WordPress plugin, versions ≤51.1.62) allows authenticated attackers with subscriber-level access to inject persistent JavaScript into the WordPress admin submissions panel. The flaw stems from a two-stage sanitization failure: `sanitize_text_field()` applied during form submission storage preserves double-quote characters in `form_page_id`, and the downstream `king_addons_submissions_custom_column_content()` function then concatenates that stored value into an HTML `href` attribute via `admin_url()` without wrapping the result in `esc_url()`. No public exploit or CISA KEV listing exists at time of analysis; EPSS data was not provided in the input.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the WPvivid Backup for MainWP WordPress plugin (all versions up to and including 0.9.33) allows authenticated administrators to inject persistent malicious scripts via plugin settings fields, which then execute in any user's browser upon visiting an affected page. Exploitation is constrained to WordPress multi-site environments or single-site installs where the unfiltered_html capability has been explicitly disabled, and requires an attacker to already hold administrator-level credentials. No public exploit code has been identified at time of analysis, and the CVSS 4.4 Medium score reflects both the high privilege bar and the specialized deployment conditions required.

WordPress XSS
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated arbitrary file upload in the Instant Appointment WordPress plugin (all versions ≤ 1.2) lets remote attackers upload files of any type through the 'insapp_upload_image_as_attachment' function, which lacks file-type validation, potentially enabling remote code execution by planting a PHP webshell. Any WordPress site running the plugin is exploitable without authentication or user interaction, matching its 9.8 CVSS rating. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

WordPress RCE File Upload
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Authorization bypass in the WPCafe WordPress plugin (all versions through 3.0.14) allows any authenticated subscriber-level user to fully manage email notification flow workflows that are intended to be administrator-only. The FlowAPI REST endpoints bundled within the plugin's email notification SDK rely solely on a wp_rest nonce for access control - a token freely obtainable from the frontend page source by any logged-in user - completely bypassing role-based authorization. No public exploit or active exploitation has been identified at time of analysis, though the low exploitation complexity makes this a realistic risk on sites with open user registration.

Authentication Bypass WordPress Wpcafe Restaurant Menu Online Food Ordering Table Booking System
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting in the WP Hotel Booking WordPress plugin (all versions up to and including 2.3.1) permits unauthenticated remote attackers to inject arbitrary JavaScript via the check_in_date and check_out_date URL parameters across multiple search result and Elementor widget templates. Successful exploitation requires tricking a victim into clicking a crafted link, after which the injected script executes in the victim's browser context - making logged-in administrators particularly high-value targets. No public exploit has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.

WordPress XSS Wp Hotel Booking
NVD
EPSS 1% CVSS 7.2
HIGH This Week

Remote code execution in the Post Export Import with Media WordPress plugin (all versions ≤ 1.13.1) is possible because a trailing-dot filename bypass (e.g. 'shell.php.') defeats the extension allow-list in ajax_import_media_start(), letting an administrator-level user smuggle an executable PHP file into the uploads directory during a media import. Reported by Wordfence, the flaw carries CVSS 7.2 and has no public exploit identified at time of analysis; exploitation requires existing administrator (PR:H) access, making it primarily a hardening/defense-in-depth bypass rather than a mass-exploitable entry point.

WordPress PHP RCE +2
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in the Salon Booking System - Free Version WordPress plugin (all versions ≤ 10.30.32) lets a remote attacker write attacker-controlled PHP into the plugin's web-accessible translate-constants.php file by abusing the unprotected setCustomText AJAX handler. Because the handler lacks proper nonce validation (CWE-352 CSRF), an unauthenticated attacker who tricks a logged-in administrator into clicking a crafted link can achieve full server-side code execution. Reported by Wordfence with a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not on CISA KEV.

WordPress CSRF RCE +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated remote code execution in the Super Forms - Drag & Drop Form Builder WordPress plugin (all versions through 6.3.313) allows attackers to upload executable files via the nopriv submit_form AJAX handler, which lacks both file-type validation (CWE-434) and any capability check. The plugin's only guardrail is a session nonce, but the companion super_create_nonce nopriv action lets any visitor mint a valid sf_nonce and session cookie on demand, collapsing the attack to two unauthenticated HTTP requests. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivial exploitability make this a high-priority patch item.

WordPress RCE File Upload +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Incorrect authorization in the Fluent Forms WordPress plugin (versions up to and including 6.2.1) enables any authenticated subscriber-level user to cancel payment subscriptions belonging to other users by supplying an arbitrary 'subscription_id' in the payment cancellation AJAX endpoint. The payment cancellation flow performs no ownership check - only that the user is authenticated - making this a classic IDOR (Insecure Direct Object Reference) under CWE-863. No public exploit code has been identified at time of analysis, and the flaw is not listed in CISA KEV, but the low bar for exploitation (any registered site account) raises practical risk for sites using Fluent Forms payment/subscription features.

Authentication Bypass WordPress Fluent Forms Customizable Contact Forms Survey Quiz Conversational Form Builder
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Authentication bypass in the LoginPress Pro WordPress plugin (versions ≤ 6.2.3) lets unauthenticated attackers log in as any existing user - including Administrators - when the Spotify Social Login addon is enabled. The flaw stems from the plugin trusting the unverified email returned by Spotify's /v1/me endpoint to match and authenticate a WordPress account, so an attacker who registers a Spotify account with a victim's email gains that victim's session. No public exploit has been identified at time of analysis; CVSS is 8.1 with attack complexity rated High due to the required addon configuration.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Authentication bypass in the LoginPress Pro WordPress plugin (versions up to and including 6.2.3) lets unauthenticated attackers hijack any existing account, including administrators, by abusing the GitHub OAuth social-login callback. The loginpress_on_github_login() function binds the login session to profile[0]['email'] from GitHub's /user/emails endpoint without checking the verified flag, so an attacker who adds an unverified email matching a victim's account and triggers the callback can be logged in as that user. This maps to CWE-287 and carries a CVSS 8.1; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Authentication bypass in the LoginPress Pro WordPress plugin (versions ≤ 6.2.3) lets unauthenticated attackers hijack any existing account - administrators included - by exploiting the Discord OAuth login handler, which trusts the email returned by Discord without checking Discord's verified flag. An attacker who knows a target's WordPress email registers a Discord account with that same (unverified) email and completes the normal OAuth flow to receive an authenticated session as the victim. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw was reported by Wordfence and is a full account-takeover primitive.

Authentication Bypass WordPress
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Arbitrary file deletion in the UsersWP WordPress plugin (versions ≤ 1.2.65) lets authenticated Subscriber-level users delete any file on the server, including wp-config.php, which can escalate into full site takeover. The flaw stems from unsanitized directory-traversal sequences in file-field metadata reaching an unlink() call in the upload_file_remove() AJAX handler. Reported by Wordfence with no public exploit identified at time of analysis and no active-exploitation (KEV) listing; an upstream code fix is available.

WordPress Path Traversal
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the WP Cost Estimation & Payment Forms Builder (E&P Forms) WordPress plugin (Loopus) affects all versions through 10.5.97 and lets unauthenticated attackers persist arbitrary JavaScript via the 'customerInfos' parameter that fires when any user later views the injected page. Reported by Wordfence with a CVSS 3.1 base score of 7.2 (scope-changed), this is a persistent, no-authentication injection primitive rather than a reflected one. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is not confirmed in the wild.

WordPress XSS Wp Cost Estimation Payment Forms Builder
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthorized data disclosure in the Blocks for ACF Fields WordPress plugin (versions up to and including 1.6.2) allows any authenticated user holding the Author role or above to read ACF field values from arbitrary WordPress objects - including private posts, drafts, and posts owned by other users - via an insecure REST API endpoint. The flaw stems from the REST handler accepting a user-supplied post ID and passing it directly to get_field_objects() without verifying whether the requester holds read permission on that specific object, a classic object-level authorization failure (CWE-862). Reported by Wordfence; no CISA KEV listing and no standalone public exploit code identified at time of analysis, though exploitation is operationally trivial for any attacker with a valid Author-level WordPress account.

Authentication Bypass WordPress Blocks For Acf Fields Display Custom Fields In The Block Editor
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated remote manipulation of published business quotes is possible in the Easy Invoice WordPress plugin (versions up to and including 2.1.19) due to missing authorization on AJAX endpoints. The plugin registers quote acceptance and decline actions via wp_ajax_nopriv_ hooks - making them reachable without credentials - while the only gate is a per-quote nonce that is embedded directly in the publicly viewable single-quote template. The ownership restriction that would prevent non-owners from acting on quotes is controlled by an off-by-default Pro feature flag, meaning the overwhelming majority of free-tier deployments are fully exposed to arbitrary quote status manipulation, including automatic invoice generation and client email dispatch. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication Bypass WordPress Easy Invoice Invoice Generator Pdf Quotes Payments
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Crew HRM WordPress plugin (all versions ≤ 1.2.2) allows any authenticated subscriber-level user to delete, archive, unarchive, and duplicate arbitrary job listings - including associated stages, metadata, addresses, and applications - by supplying an arbitrary integer job_id. The nonce that nominally gates these actions via Dispatcher::dispatch() is deliberately exposed to every authenticated frontend visitor through wp_head script localization, making the bypass trivially reproducible by any user with a WordPress account. No public exploit code or active exploitation has been identified at time of analysis, and no KEV listing exists; however, the nonce leak collapses the practical access barrier to subscriber level.

Authentication Bypass WordPress Employee Leave And Recruitment Management System Crew Hrm
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized shipping label manipulation in DHL eCommerce (Benelux) for WooCommerce versions up to 2.2.3 allows any authenticated WordPress user - down to Subscriber level - to create or delete DHL shipping labels for any WooCommerce order site-wide. The two vulnerable AJAX handlers lack both capability verification and nonce (CSRF token) checks, meaning the attacker-supplied order ID is acted upon without confirming the caller has order management rights. No public exploit is identified and this is not listed in CISA KEV, but the low authentication bar (any registered user) and operational impact on fulfillment make this a meaningful risk for Benelux e-commerce stores with open user registration.

Authentication Bypass WordPress Dhl Ecommerce Benelux For Woocommerce
NVD
EPSS 1% CVSS 7.1
HIGH This Week

Arbitrary file deletion in the Bit Form WordPress plugin (all versions through 3.1.1) lets low-privileged authenticated users delete any file on the server via an unsanitized path passed to the deleteFiles function. Because a subscriber-level attacker can remove critical files such as wp-config.php, this path traversal escalates into a full site takeover / remote code execution scenario. Reported by Wordfence with a CVSS of 7.1; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress Path Traversal RCE +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery in the Divi Torque Lite WordPress plugin (versions ≤ 4.2.3) lets remote attackers install and activate arbitrary plugins by tricking a logged-in administrator into loading a malicious page. The plugin registers its /install_plugin and /activate_plugin REST routes with '__return_true' as the permission_callback, which suppresses WordPress's REST nonce check so a forged request rides the admin's session cookies past the internal capability check. No public exploit is identified at time of analysis, but installing an attacker-supplied plugin yields effective remote code execution on the site.

WordPress CSRF Divi Torque Lite Divi Modules For The Divi Builder Theme
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in the DSGVO All in One for WP plugin (versions up to and including 4.9) allows any authenticated WordPress user with Subscriber-level access or higher to invoke the dsgvo_reset_policy_service_func() function and wipe all customized privacy policy content - cookie notices, Google Analytics policies, Facebook policies, and YouTube policies - back to plugin defaults. The root cause is a complete absence of both WordPress capability checks and nonce verification on a sensitive administrative function that accepts and acts on user-supplied parameters. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the low authentication barrier makes this accessible to a wide pool of potential abusers on sites with open user registration.

Authentication Bypass WordPress Google +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated order cancellation in CorvusPay WooCommerce Payment Gateway (all versions up to and including 2.7.4) allows any remote attacker to cancel any WooCommerce order paid via CorvusPay by supplying an arbitrary order number to the /wp-json/corvuspay/cancel/ REST API endpoint. The plugin registers this cancel endpoint without implementing a WordPress permission callback, meaning no authorization is verified before processing cancellation requests (CWE-862). No public exploit code and no active exploitation via CISA KEV have been identified at time of analysis, though the attack requires no credentials and minimal technical skill.

Authentication Bypass WordPress Corvuspay Woocommerce Payment Gateway
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Payment bypass in the CorvusPay WooCommerce Payment Gateway plugin (all versions up to and including 2.7.4) enables unauthenticated remote attackers to fraudulently mark any pending WooCommerce order as fully paid, obtaining goods or services without actual payment. The `corvuspay_success_handler` function registers a publicly accessible REST endpoint where a cryptographic signature validation is performed but its boolean result is silently discarded - written only to a debug log - causing `$order->payment_complete()` to execute unconditionally regardless of signature validity. WooCommerce order IDs are sequential integers, making every pending order on an affected store trivially enumerable with no prior knowledge required. No public exploit code or CISA KEV listing was identified at time of analysis.

WordPress Jwt Attack Authentication Bypass +1
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the EventPrime events plugin for WordPress (versions through 4.3.4.2, by Metagauss) lets low-privileged or, in one configuration, unauthenticated actors persist arbitrary JavaScript through the 'new_event_type_background_color' field of the event-type creation flow. The injected script runs in the browser of any user who later views the affected page, enabling session/context theft in the WordPress front end and admin context. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; the finding was reported by Wordfence.

WordPress XSS Eventprime Events Calendar Bookings And Tickets
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized order modification in the Colissimo Officiel shipping plugin for WordPress (versions up to and including 2.9.0) allows any authenticated subscriber-level user to overwrite the shipping method, pickup-relay metadata, and shipping address of arbitrary WooCommerce orders - including orders belonging to other customers. The vulnerability stems from a completely unguarded AJAX handler: no capability check and no nonce verification are performed before acting on caller-supplied input. No public exploit code has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog, though Wordfence has confirmed and disclosed it with specific source-line references.

Authentication Bypass WordPress Colissimo Shipping Methods For Woocommerce
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

{id} enforces only the tfhb_manage_options capability check but never validates that the requested booking ID is owned by the requesting host, exposing attendee PII (names, emails, phone numbers, addresses), payment method and status, transaction history, and internal notes. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a fix commit is present in the WordPress plugin SVN repository.

Authentication Bypass WordPress Hydra Booking Appointment Scheduling Booking Calendar
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Arbitrary file upload leading to remote code execution affects the premium Blocksy Companion Pro plugin for WordPress in all versions through 2.1.46, where the Custom Fonts extension's flawed MIME validation lets unauthenticated attackers upload executable PHP files disguised as fonts. The Custom Fonts extension registers a wp_check_filetype_and_ext filter that uses strpos() to approve any filename merely containing '.woff2' or '.ttf' anywhere in the string, so a double-extension payload like shell.woff2.php passes as a legitimate font. Reported by Wordfence with a CVSS of 9.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress PHP RCE +2
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Time-based SQL injection in the Mail Mint WordPress plugin (versions ≤1.24.2) allows authenticated administrators to extract arbitrary data from the underlying database via the unsanitized 'contact_ids' parameter in the contact management API. Reported by Wordfence, the flaw is rooted in insufficient input escaping and missing prepared statements in the ContactModel and ContactController layers. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, a corrective changeset (3597255) has been committed to the WordPress plugin repository.

WordPress SQLi Mail Mint Email Marketing Newsletter Email Automation Woocommerce Emails
NVD
EPSS 1% CVSS 7.2
HIGH This Week

Remote code execution in the Popup Maker WordPress plugin (all versions through 1.22.0) allows authenticated attackers holding editor-level access or above to install and activate an arbitrary plugin from an attacker-controlled URL, resulting in full server-side code execution. The root cause is a missing authorization check (CWE-862) in the plugin's REST API Connect controller, whose install endpoint treats a bearer token - issued by the legacy v1/connect/info endpoint - as its only non-spoofable authorization gate. Reported by Wordfence; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass WordPress RCE +1
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Authentication bypass in the miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress (versions up to and including 5.5.1) lets unauthenticated attackers take over any Administrator account. Because um_reset_password_process_hook() never verifies server-side that the OTP step was completed and trusts a form_nonce that the plugin itself hands to anonymous visitors via the moumprvar JavaScript object, an attacker can supply an arbitrary username_b value to receive a fresh password-reset URL for any user in the 302 Location header. No public exploit identified at time of analysis, but the flaw is trivially scriptable and carries a critical 9.8 CVSS score.

Authentication Bypass WordPress Miniorange Otp Login Verification And Sms Notifications
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated content tampering in the WP User Frontend WordPress plugin (all versions through 4.3.7) allows any visitor to overwrite the title, body, and excerpt of any post on the site, including posts authored by administrators. The flaw stems from the wpuf_submit_post AJAX action accepting a user-controlled post reference key in the wpuf_files_data parameter without validating whether the requesting user is authorized to edit the target post - a textbook CWE-639 authorization-through-user-controlled-key failure. No public exploit code or active exploitation has been identified at time of analysis, but the attack requires no authentication and no special configuration beyond the plugin being installed with at least one public-facing submission form.

Authentication Bypass WordPress User Frontend
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized plugin installation affects the Memberships and User Profiles for WooCommerce - ProfileGrid WooCommerce Integration plugin (versions up to and including 3.4), allowing any authenticated WordPress user at Subscriber level or above to force-install and activate the ProfileGrid plugin without administrative approval. The flaw stems from a dual failure - absent capability check and absent nonce validation - on the `pg_install_profilegrid()` AJAX handler, registered via the `wp_ajax_pg_install_profilegrid` hook. No active exploitation has been confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis; however, the low barrier to exploitation (any authenticated user) makes this a meaningful integrity risk on multi-tenant or open-registration WooCommerce stores.

Authentication Bypass WordPress Memberships And User Profiles For Woocommerce Profilegrid Woocommerce Integration
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated information disclosure in the GamiPress WordPress plugin (all versions through 7.9.4) allows any site visitor to read private activity log entries belonging to arbitrary users, including badge earnings, points balance changes, WooCommerce purchase events, LearnDash course completions, and BuddyPress activity records. The IDOR flaw in the 'access' parameter is rendered trivially exploitable because the sole authentication gate - a gamipress nonce - is deliberately broadcast to every front-end visitor via wp_localize_script, meaning no credential or privilege is required beyond loading any page on the target site. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the near-zero exploitation complexity makes it a practical mass-exploitation candidate against any unpatched deployment.

Authentication Bypass WordPress Gamipress Gamification Plugin To Reward Points Achievements Badges Ranks In Wordpress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection in WP ERP (wedevs) versions through 1.17.5 allows authenticated HR Manager-level users to exfiltrate arbitrary data from the WordPress database via the unsanitized `orderby` parameter in the leave management module. The flaw resides in `functions-leave.php` and `LeaveRequestsListTable.php`, where user-supplied sort parameters are interpolated directly into SQL queries without escaping or prepared statements. No public exploit code is confirmed and this CVE is not listed in the CISA KEV catalog, but the confidentiality impact is high given the plugin stores HR records, payroll data, and CRM contacts.

WordPress SQLi Erp
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the Mang Board WP WordPress plugin (all versions through 2.3.4) allows unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'stag' parameter, which executes in the browser of any user who clicks a crafted link. Wordfence's source-level analysis identifies the flaw spanning multiple plugin files including _header.php, func.board.php, and class.store.php. No active exploitation has been identified (not in CISA KEV) and no EPSS score was provided, but the PR:N/UI:R profile makes this a viable phishing-assisted attack against WordPress site administrators and editors.

WordPress XSS Mang Board Wp
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the WP User Frontend (WPUF) WordPress plugin through version 4.3.7 allows unauthenticated visitors to delete guest-uploaded media attachments via the wpuf_file_del AJAX action. The plugin's sole access control gate - a WordPress nonce - is self-defeated: when any WPUF shortcode is rendered on a public front-end page, the nonce value is localized into publicly readable JavaScript objects (wpuf_upload and wpuf_frontend), making it trivially extractable by any browser visitor. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified, but the zero-authentication, low-complexity attack path makes this trivially reproducible from plugin source code alone.

Authentication Bypass WordPress User Frontend
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Bookero.pl WordPress booking plugin (versions up to and including 2.2) allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the `bookero_products` shortcode. The `bookero_products()` function in `libraries/bookero-front.php` (lines 173-174) concatenates the raw `hide_products` and `filter_products` attribute values directly into an inline `<script>` block with no sanitization or output escaping, meaning any page rendered with the poisoned shortcode will execute the attacker-supplied script in every visitor's browser. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

WordPress XSS Bookero Pl System Rezerwacji Online
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Sensitive information exposure in the Backup and Staging by WP Time Capsule WordPress plugin (all versions through 1.22.26) allows authenticated attackers with subscriber-level access to download a previously admin-decrypted SQL database backup via the unprotected `download_recent_decrypted_file_wptc` endpoint. The downloaded backup typically contains WordPress password hashes, user credentials, and site configuration data stored in the `recent_decrypted_file` plugin option. No public exploit code exists at time of analysis, but the vulnerability is conditionally exploitable wherever subscriber-level user registration is enabled and an administrator has recently used the plugin's decrypt function.

Authentication Bypass WordPress Information Disclosure +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Customer Reviews for WooCommerce WordPress plugin (all versions ≤ 5.113.0) allows contributor-level authenticated users to inject arbitrary JavaScript via the 'color' attribute of the trust badge shortcode, which then executes in the browsers of every subsequent visitor to the compromised page. The trust badge rendering code in class-cr-trust-badge.php and badge-small.php fails to sanitize or escape shortcode attribute input before writing it to HTML output. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis; a patch commit is referenced in the WordPress SVN repository.

WordPress XSS Customer Reviews For Woocommerce
NVD
EPSS 1% CVSS 6.6
MEDIUM This Month

Local File Inclusion in the WPFunnels WordPress plugin (all versions through 3.12.7) allows authenticated administrators to include and execute arbitrary PHP files on the server via the unsanitized `logKey` parameter, yielding full remote code execution when combined with file upload capability. The attack requires administrator-level WordPress credentials and high complexity - specifically the ability to place a PHP file on the server - materially limiting the exploitable population. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a routine-patching priority tier despite its severe potential impact.

WordPress LFI RCE +3
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated export of sensitive WooCommerce donation records is possible in the Token of Trust WordPress plugin through version 4.0.2 due to a missing capability check on a publicly accessible export function. Any unauthenticated visitor can retrieve a CSV file containing charitable donor order dates, order IDs, donation amounts, and admin-only order edit URLs by appending a single GET parameter to any page on the affected site. No public exploit code has been identified and this vulnerability is not listed in CISA KEV, but the trivial exploitation mechanism - requiring only a browser and a known URL parameter - means low-skill attackers can exploit it at scale.

Authentication Bypass WordPress Age Verification Identity Verification By Token Of Trust
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Connect Contact Form 7 and Mailchimp WordPress plugin (all versions through 0.9.78.06) lets unauthenticated visitors plant JavaScript through Mailchimp merge-field values submitted via a Contact Form 7 form. The payload lies dormant until an Administrator runs a Contact Lookup on the submitted email address, at which point the script executes in the privileged admin session. Reported by Wordfence with a CVSS of 7.2; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress XSS Connect Contact Form 7 And Mailchimp
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the WordPress Download Manager plugin (all versions through 3.3.61) allows authenticated contributors to inject persistent JavaScript payloads via the 'note_before' and 'note_after' shortcode attributes. The root cause is an unescaped output sink in the shortcode renderer: although wp_kses_post filters post content on save for users lacking the unfiltered_html capability, kses-allowed tag and attribute combinations that survive filtering are passed directly to the unsafe sink and execute in victims' browsers when the injected page is rendered. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress XSS Download Manager
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the AcyMailing WordPress newsletter plugin (all versions up to and including 10.10.2) permits authenticated contributors to inject persistent arbitrary scripts via the unsanitized 'alignment' attribute across both the classic form builder and Gutenberg block editor code paths. Any user - including unauthenticated site visitors - who subsequently loads a page containing the injected element triggers script execution in their browser, enabling session hijacking, credential theft, or malicious redirects. No public exploit identified at time of analysis and no CISA KEV listing, though the CVSS scope change (S:C) correctly reflects the cross-user, cross-session impact characteristic of stored XSS.

WordPress XSS Acymailing An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Ultimate Post (PostX) WordPress plugin versions up to and including 5.0.31 allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the 'moreResultsText' attribute of the advanced-search Gutenberg block. The root cause is a sanitization gap: the render callback applies wp_kses() which strips disallowed HTML tags but does not encode special characters like double quotes in attribute context, and the unsanitized value is then concatenated directly into the data-viewmoretext HTML attribute without esc_attr(), allowing attribute boundary escape. No public exploit code has been identified at time of analysis, and no EPSS data was provided, but the contributor-level access requirement represents the primary real-world friction point for exploitation.

WordPress XSS Post Grid Gutenberg Blocks Postx
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Block, Suspend, Report for BuddyPress WordPress plugin (bp-toolkit) through version 3.6.4 allows low-privileged authenticated attackers to inject persistent malicious scripts via the 'link' parameter in report submissions. Authenticated users with subscriber-level access can plant JavaScript payloads that execute in any visitor's browser upon accessing the affected report pages, with Changed Scope (S:C) indicating execution in the victim's security context rather than the application's. No public exploit code has been identified at time of analysis and the vulnerability has not been added to CISA KEV, but on BuddyPress community sites with open registration the subscriber-level prerequisite is trivially satisfied.

WordPress XSS Block Suspend Report For Buddypress
NVD
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated site-info endpoint before fetching it, allowing anonymous users (the gating nonce is exposed on public pages carrying an embed) to make the site request internal and private-network URLs and read back the parsed page metadata. This is a Server-Side Request Forgery.

WordPress SSRF Fediverse Embeds
NVD WPScan
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated media-proxying endpoint, allowing anonymous users to make the site fetch arbitrary URLs, including internal and private-network addresses, and read back the response body. This results in a full-read Server-Side Request Forgery and open proxy.

WordPress SSRF Fediverse Embeds
NVD WPScan
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Unauthenticated remote attackers can completely bypass access controls on Everest Forms REST API endpoints in all plugin versions before 3.5.0, enabling them to read onboarding status data, modify plugin settings, and send emails from the WordPress site to arbitrary addresses. The flaw arises because the capability check is conditioned on an attacker-controllable HTTP request header - omitting or altering that header disables the authorization gate entirely. A publicly available proof-of-concept exploit exists, and SSVC assessment confirms the attack is automatable; however, this vulnerability is not in CISA KEV, and EPSS sits at 0.14%, suggesting limited observed exploitation despite the low barrier to entry.

WordPress Authentication Bypass Everest Forms
NVD WPScan
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Cookie forgery in WP Support Plus Responsive Ticket System (WordPress plugin ≤9.1.2) allows unauthenticated network attackers to impersonate any guest ticket owner by crafting an unsigned guest-session cookie containing the victim's email address, then reading, replying to, and closing that user's support tickets. The plugin fails to sign or verify its guest-session cookie, making the trust boundary between guest sessions trivially bypassable. A publicly available proof-of-concept exists per WPScan; EPSS is low at 0.14% (3rd percentile), suggesting limited observed exploitation despite automation feasibility confirmed by SSVC.

WordPress Information Disclosure Wp Support Plus Responsive Ticket System
NVD WPScan
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Unauthenticated personal data exfiltration in WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 allows any remote attacker to download the full GDPR personal data export of any user, customer, or commenter by supplying only their email address. The plugin's data subject access request (DSAR) immediate-processing path omits an authorization check, converting a legally mandated privacy feature into a privacy breach vector. A publicly available POC exploit exists, SSVC confirms the attack is automatable, and a vendor patch has been released at version 3.1.40.

WordPress Information Disclosure Wp Dsgvo Tools Gdpr
NVD WPScan
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Information disclosure in the Everest Forms WordPress plugin before 3.5.0 allows unauthenticated remote attackers to download other users' form submissions. The plugin generates temporary CSV files during email-notification processing but fails to reliably delete them, leaving them publicly accessible in the wp-content uploads directory under predictable, enumerable filenames. Publicly available exploit code exists and the flaw is automatable per CISA SSVC, though EPSS remains low at 0.14%; not listed in CISA KEV.

WordPress Information Disclosure Everest Forms
NVD WPScan
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation to full account takeover in the Divi Form Builder WordPress plugin (versions up to and including 5.1.8) lets any authenticated user with subscriber-level access or higher change the email address and password of arbitrary accounts, including administrators. The flaw is an insecure direct object reference where a user ID supplied in a form submission is trusted without an authorization check. Reported by Wordfence and rated CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress Divi Form Builder
NVD
EPSS 1% CVSS 9.2
CRITICAL PATCH Act Now

Remote code execution in the Blocksy Companion Pro WordPress plugin (all versions before 2.1.47) lets unauthenticated attackers upload executable PHP files through the Advanced Reviews feature, taking over the site. The save_attachments function relies on a flawed strpos() substring check inherited from the Custom Fonts extension, so a double-extension filename like shell.woff2.php passes validation while the server executes it as PHP. No public exploit has been identified at time of analysis, but a vendor patch (2.1.47) is available and the flaw was reported by VulnCheck.

WordPress PHP RCE +2
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Nexter Blocks - Gutenberg Blocks, Page Builder & AI Website Builder WordPress plugin (versions through 4.7.4) enables authenticated contributors to persistently inject malicious JavaScript via the unsanitized 'commentIcon' parameter, executing in any visitor's browser on affected pages. The CVSS Scope:Changed metric reflects that attacker-controlled code crosses trust boundaries into the victim's browser session, enabling session hijacking, credential theft, or unauthorized actions on behalf of privileged users such as site administrators. No public exploit code or CISA KEV listing was identified at time of analysis.

WordPress XSS Nexter Blocks Gutenberg Blocks Page Builder Ai Website Builder
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.8) lets unauthenticated remote attackers persist arbitrary JavaScript via the 'email' parameter, which then executes in the browser of any user - including hotel staff and admins - who later views the affected page. Because the injection point is reachable without authentication and the payload is stored server-side, it enables session hijacking, admin action forgery, and content defacement against booking-management back offices. This issue is not in CISA KEV and no public exploit has been identified at time of analysis.

WordPress XSS Vikbooking Hotel Booking Engine Pms
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

Cross-Site Request Forgery in Smash Balloon Social Photo Feed - Easy Social Feeds Plugin for WordPress (all versions through 6.11.1) enables unauthenticated remote attackers to overwrite the site's Instagram and Facebook oEmbed access tokens by forging a request that a logged-in administrator unwittingly executes. The root cause is missing or incorrect nonce validation on the `maybe_connection_data` function, WordPress's primary CSRF defense mechanism. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, a patch changeset is confirmed in the WordPress plugin repository.

WordPress CSRF Smash Balloon Social Photo Feed Easy Social Feeds Plugin
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Insecure Direct Object Reference in weDevs WP User Frontend plugin (all versions ≤4.3.1) allows unauthenticated network attackers to activate a free subscription tier on behalf of any registered WordPress user by supplying an arbitrary user_id to the payment_page() function, silently overwriting existing paid subscriptions and revoking premium access. The root cause is a missing authorization check on a user-controlled key (CWE-639), and because WordPress user IDs are sequential integers trivially enumerable via the REST API, this is exploitable at scale with no authentication or user interaction. No public exploit has been identified at time of analysis, but the zero-privilege, low-complexity attack path makes this straightforward to weaponize against any site monetizing through this plugin's membership features.

Authentication Bypass WordPress User Frontend
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Essential Addons for Elementor (versions up to and including 6.6.2) allows authenticated WordPress users with Author-level access or higher to inject persistent malicious JavaScript via event titles rendered through the Event Calendar widget. The injected payload executes in the browsers of any user who visits the affected page, with scope change confirmed by the CVSS:3.1 S:C designation. No public exploit code or CISA KEV listing has been identified at time of analysis, but the authentication barrier is low on sites that permit contributor or author registration.

WordPress XSS Essential Addons For Elementor Popular Elementor Templates Widgets
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Payment amount manipulation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.4.0) lets unauthenticated attackers finalize bookings while paying an arbitrary amount. The Stripe Connect payment processor trusts a client-supplied PaymentIntent ID, so an attacker can replay a previously succeeded PaymentIntent token to satisfy the payment check. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Privilege escalation via Insecure Direct Object Reference in the WCFM Membership (WooCommerce Memberships for Multivendor Marketplace) WordPress plugin versions up to and including 2.11.10 lets authenticated users holding at least vendor-level access manipulate the 'wcfmvm_membership_change' AJAX action to reassign any user's account to the 'wcfm_vendor' role by altering their membership plan. Because the action never checks whether the caller is authorized to modify the targeted user, a low-privileged marketplace vendor can tamper with arbitrary accounts. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS of 8.1 and network-reachable authenticated vector make it a meaningful multivendor-store risk.

Authentication Bypass WordPress Wcfm Membership Woocommerce Memberships For Multivendor Marketplace
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Advanced iFrame WordPress plugin (versions through 2026.1) allows authenticated contributors to permanently inject malicious scripts into WordPress pages via the unsanitized 'additional' parameter. Any site visitor loading an affected page will execute the attacker's payload in their browser, enabling session hijacking, credential theft, or defacement. No public exploit has been identified at time of analysis, and a fix has been committed to the WordPress plugin repository per Wordfence reporting.

WordPress XSS Advanced Iframe
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the SeedProd Website Builder WordPress plugin (all versions through 6.20.2) allows authenticated contributors to inject persistent malicious JavaScript via unsanitized attributes of the `seedprodnestedmenuwidget` shortcode. Any user-including administrators-who subsequently visits an affected page will execute the attacker's script in their browser, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing is identified at time of analysis, but the contributor-level access bar lowers the threshold for abuse on multi-author WordPress sites.

WordPress XSS Website Builder By Seedprod Theme Builder Landing Page Builder Coming Soon Page Maintenance Mode
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated blind SQL injection in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.8) lets remote attackers inject SQL through the 'mc_auth' parameter, enabling extraction of sensitive database contents such as user credentials and secret keys. The flaw stems from unescaped user input concatenated into an unprepared query, and being reachable without authentication makes it broadly exploitable on any site running a vulnerable version. No public exploit identified at time of analysis, but the technique (time-based blind extraction) is well understood and readily automatable.

WordPress SQLi My Calendar Accessible Event Manager
NVD
EPSS 0% CVSS 6.3
MEDIUM This Month

Privilege escalation in the Themehunk Login Registration WordPress plugin (versions up to and including 1.0.2) allows unauthenticated attackers to self-register accounts with elevated roles - including editor - by supplying an arbitrary 'role' parameter to the publicly exposed /thlogin/v1/register REST endpoint. The handle_frontend_register() function validates the supplied role only against get_editable_roles(), which returns every administratively configurable role on the site, then passes it directly to wp_insert_user() without restricting it to the subscriber level expected for public self-registration. Exploitation is conditioned on public user registration being enabled on the target site; no public exploit code or CISA KEV listing has been identified at time of analysis.

Privilege Escalation WordPress Th Login Registration
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL Injection in the Recurio - Ultimate Subscription for WooCommerce WordPress plugin (versions up to and including 1.1.3) exposes the full WordPress database to authenticated shop managers via an unsanitized 'data' parameter in the subscription engine. Attackers with shop manager-level credentials or higher can append arbitrary SQL clauses to existing queries, enabling extraction of sensitive records including customer PII, order history, and WordPress user data. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the high privilege requirement substantially limits the real-world attack surface.

WordPress SQLi Recurio Ultimate Subscription For Woocommerce
NVD
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in the Tainacan WordPress plugin (versions ≤ 1.0.3) lets unauthenticated attackers exfiltrate database contents through the 'geoquery' parameter, which is concatenated into a SQL query without proper escaping or prepared-statement binding. Because the injection is time-based blind, attackers infer data character-by-character from response delays rather than direct output. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the network-reachable, no-authentication vector makes it a realistic target for automated scanning once details spread.

WordPress SQLi Tainacan
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.8) lets unauthenticated attackers persist arbitrary JavaScript via the 'special_requests' booking field, which then executes when a hotel operator or user views the injected order in the admin back-end. Reported by Wordfence with a CVSS 7.2 (scope-changed) rating; no public exploit identified at time of analysis and it is not listed in CISA KEV. The fix landed in version 1.8.9, whose patched source is referenced in the advisory.

WordPress XSS Vikbooking Hotel Booking Engine Pms
NVD
EPSS 0% CVSS 8.1
HIGH POC This Week

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated attackers to inject arbitrary PHP objects; where a suitable gadget chain is present on the site this can be leveraged to achieve remote code execution.

WordPress Deserialization RCE +2
NVD WPScan
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the Sympl Repeater for ACF and Elementor WordPress plugin (all versions up to and including 2.3) allows authenticated attackers with Author-level access to inject persistent malicious scripts into pages via unsanitized ACF repeater field values. The root cause is the symp_arfe_replace_content() function using PHP str_replace() to insert raw get_field() output directly into Elementor-rendered HTML without any output encoding, causing the stored payload to execute in any subsequent visitor's browser. No public exploit code or CISA KEV listing has been identified at time of analysis, but the scope-changed CVSS vector (6.4 Medium) reflects real cross-user impact on WordPress sites where multiple Authors are active.

WordPress XSS Sympl Repeater For Acf And Elementor
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated arbitrary file read in Bulk Order Update for WooCommerce (versions up to and including 1.6) exposes the first line of any server-side file to remote attackers without credentials. The plugin's AJAX handler bouw_fetch_csv_data() is registered on the wp_ajax_nopriv_ hook - meaning WordPress serves it to unauthenticated users - and passes attacker-controlled filesystem paths directly to fopen()/fgetcsv(), reflecting parsed output in the JSON response. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the attack requires no authentication and no interaction, making it straightforward to exploit against any site with the plugin active.

WordPress Oracle Path Traversal +1
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Arbitrary file upload in the WHMCS Bridge plugin for WordPress (all versions through 6.9) lets authenticated users with Custom-level access or above upload files of any type via the unvalidated connect() function, potentially achieving remote code execution on the host. Reported by Wordfence and tracked as CWE-434, the flaw carries a CVSS of 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The impact hinges on the plugin's failure to enforce file-type checks before writing uploaded content to disk.

WordPress RCE File Upload +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Wp Js Detect WordPress plugin (all versions ≤ 1.0.9) permits unauthenticated attackers to overwrite the plugin's frontend notification text and CSS settings by exploiting absent nonce validation in the plugin_settings function. Because the stored values are echoed unescaped to the WordPress frontend, a successful forged request can inject arbitrary HTML or script content visible to site visitors who have JavaScript disabled. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; EPSS data was not supplied.

WordPress CSRF Wp Js Detect
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authorization bypass in the WP Learn Manager WordPress plugin (all versions through 1.1.8) lets unauthenticated attackers install and activate arbitrary plugins from the WordPress.org repository on a vulnerable site. The flaw stems from AJAX handlers that fail to verify a caller's authorization, and Wordfence rates it CVSS 9.8. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the unauthenticated, low-complexity nature makes it a high-priority patch target.

Authentication Bypass WordPress Wp Learn Manager
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored cross-site scripting in the Chatra Live Chat + ChatBot + Cart Saver WordPress plugin (all versions ≤ 1.0.12) enables authenticated attackers holding administrator-level credentials to persist arbitrary JavaScript payloads through admin settings fields that lack input sanitization and output escaping. Injected scripts execute silently in the browsers of any user who visits an affected page, enabling session hijacking, credential harvesting, or malicious redirection. Exploitation is gated behind two environmental preconditions - WordPress multisite mode or explicitly disabled unfiltered_html - and no public exploit code or active exploitation has been identified at time of analysis.

WordPress XSS Chatra Live Chat Chatbot Cart Saver
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in the Eventer WordPress event manager plugin (all versions through 4.4.2) lets unauthenticated attackers inject arbitrary SQL through the 'code' parameter, extracting database contents such as user credentials and session data. The flaw stems from unescaped user input concatenated into an existing query, exploitable remotely without authentication (PR:N). No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 7.5 reflects confidentiality-only impact via time-based blind extraction.

WordPress SQLi Eventer
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the User Management WordPress plugin (versions ≤ 1.2) permits unauthenticated network attackers to overwrite the plugin's export field configuration stored in the uiewp_export_field WordPress option, determining which user fields - including password hashes - are bundled into CSV exports and how columns are interpreted during user imports. Reported by Wordfence, the flaw stems from CWE-862 (Missing Authorization), meaning the plugin performs no privilege check before accepting these writes. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the ability to preconfigure exports to surface password hashes represents a meaningful secondary confidentiality risk beyond the raw CVSS 5.3 Medium score.

Authentication Bypass WordPress User Management
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the Super Socializer WordPress plugin (versions up to and including 7.14.5) enables unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized 'heateor_mastodon_share' parameter, discovered and reported by Wordfence with source-level confirmation at helper.php lines 1243-1246. Successful exploitation requires social engineering a victim into clicking a crafted URL, after which the payload executes within the victim's browser session in the context of the target WordPress site. No public exploit code or active exploitation has been identified at time of analysis; the CVSS 6.1 (Medium) rating reflects the mandatory user-interaction requirement that constrains opportunistic mass exploitation.

WordPress XSS Social Share Social Login And Social Comments Plugin Super Socializer
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authentication bypass in the DoLogin Security plugin for WordPress (all versions through 4.3) lets remote attackers forge passwordless magic-link tokens and log in as any user, including administrators. The 32-character token is generated by seeding the Mersenne Twister PRNG (mt_srand) with a value derived from microtime() that carries only ~20 bits of entropy, so the entire token is a deterministic function of a ~10^6-value seed space that can be brute-forced offline. No public exploit identified at time of analysis, but the flaw was reported by Wordfence and the vulnerable code paths are cited directly in the WordPress plugin repository.

WordPress Authentication Bypass Dologin Security
NVD
Prev Page 3 of 193 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy