Skip to main content

WordPress

17354 CVEs vendor

Monthly

CVE-2026-14487 CRITICAL Act Now

Arbitrary file deletion in the Simple Coherent Form WordPress plugin (all versions up to and including 2.4.13) allows unauthenticated attackers to delete any file the web server can reach, and deleting wp-config.php can cascade into full remote code execution. The plugin's two intended access controls are illusory: the scf_get_id_upload endpoint hands a valid scf_upload_file_removal nonce to any anonymous visitor, and the secondary hash check can be reproduced offline because it derives from a salt hardcoded in the plugin source. There is no public exploit identified at time of analysis, but the flaw carries a high 9.1 CVSS and reflects a genuine unauthenticated-network attack path.

WordPress Path Traversal RCE PHP Simple Coherent Form
NVD VulDB
CVSS 3.1
9.1
EPSS
0.7%
CVE-2026-9701 CRITICAL Act Now

Account takeover in the Eventer WordPress event-manager plugin (all versions through 4.4.2) stems from the plugin writing the password-reset key in cleartext to the `eventer_verification_code` field in `wp_usermeta`; any actor who can read that value can drive the plugin's custom reset action to set an arbitrary password for any user, including administrators. Chained with the companion SQL injection flaw CVE-2026-9700, remote attackers can extract the stored key without authentication and fully hijack accounts. There is no public exploit identified at time of analysis, and exploitation is constrained to sites running PHP 7.4 or earlier, where the reset routine functions.

WordPress SQLi PHP Eventer
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-14482 HIGH This Week

Privilege escalation in the Duoshuo (多说社会化评论框) social commenting plugin for WordPress (all versions through 1.2) lets remote attackers seize full administrator control. An unauthenticated, web-accessible API endpoint (api.php/LocalServer.php) exposes an `update_option` handler that lacks capability and nonce checks and relies on a trivially forgeable HMAC-SHA1 signature keyed on an always-empty option, allowing attackers to overwrite any WordPress option - for example flipping `default_role` to `administrator` and enabling open registration, then self-registering an admin account. No public exploit is identified at time of analysis, and it is not in CISA KEV, but the flaw is straightforward to weaponize.

Privilege Escalation WordPress
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-14158 HIGH This Week

Remote code execution in the Widget Logic Visual WordPress plugin (all versions through 1.52) lets low-privileged authenticated users run arbitrary PHP on the server. The flaw stems from the widget-logic-update-conditional-tags AJAX action lacking a capability check and nonce verification, allowing any subscriber-and-above account to store attacker-controlled data in the 'nwlv[cod-tag]' parameter that is later passed to an eval() call by widget_logic_visual_check_visibility. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.

WordPress RCE File Upload Widget Logic Visual
NVD VulDB
CVSS 3.1
8.8
EPSS
0.5%
CVE-2026-9842 HIGH This Week

Privilege escalation in the Pixelgrade Backstage - Customizer Demo Access plugin for WordPress (all versions through 1.4.2) lets unauthenticated attackers modify arbitrary site options. The plugin grants the overly broad `manage_options` capability to its `backstage_customizer_user` demo role, so an attacker reaching the demo flow can change settings such as `default_role` and escalate to a privileged account. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation WordPress Backstage Customizer Demo Access
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-14244 HIGH This Week

Arbitrary file disclosure in the Jssor Slider by jssor.com WordPress plugin (all versions through 3.1.24) lets unauthenticated remote attackers traverse the filesystem via the 'url' parameter and read the contents of any file the web server can access, such as wp-config.php. Wordfence disclosed the flaw and points to the plugin's admin controller code; no public exploit is identified at time of analysis and it is not listed in CISA KEV. EPSS was not provided, but the network-reachable, unauthenticated nature of the bug makes it an attractive scanning target.

WordPress Path Traversal Jssor Slider By Jssor Com
NVD VulDB
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-6101 HIGH This Week

Arbitrary file write in the AMP for WP - Accelerated Mobile Pages WordPress plugin (versions up to and including 1.1.12) lets authenticated Author-level users, granted permission by an Administrator, upload and unsafely extract a crafted ZIP through the ampforwp_save_local_font() function, planting attacker-controlled files in a web-accessible uploads path. On hosts configured to execute PHP from the uploads directory, this escalates to remote code execution. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; an upstream fix is present in the plugin repository (changeset 3512870).

WordPress RCE PHP Amp For Wp Accelerated Mobile Pages
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-4375 CRITICAL Act Now

Remote code execution affects the DoLeads Integrator and wp2epub WordPress plugins (both versions through 0.65), which WPScan reports have been observed being leveraged to run arbitrary code on a blog once installed. The plugins are reachable via a broader flaw that lets unauthorized users install 'unclosed'/withdrawn extensions from the wordpress.org repository, turning plugin installation into a code-execution primitive. No public exploit has been identified at time of analysis, and EPSS remains very low (0.15%, 5th percentile), indicating no observed widespread exploitation despite the high CVSS.

WordPress Authentication Bypass
NVD WPScan VulDB
CVSS 3.1
9.0
EPSS
0.2%
CVE-2026-14345 CRITICAL Act Now

Remote code execution in the WPFunnels (Funnel Builder for WooCommerce) WordPress plugin versions up to and including 3.12.7 lets attackers write attacker-controlled 'postData' into a PHP-includeable .log file that wpfnl_show_log later renders with include_once, yielding server-side code execution. The initial injection is fully unauthenticated because the nonce guarding the optin endpoint is publicly emitted on every funnel step page, though execution only fires once an administrator opens the poisoned log via the Log Settings View while the 'Enable Logs' toggle is active. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the pre-auth injection combined with a maximal 9.8 CVSS score makes it a high-priority patch for any exposed WooCommerce funnel deployment.

WordPress RCE File Upload
NVD VulDB
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-12375 CRITICAL PATCH Act Now

Full site takeover of WordPress installations running Uncanny Automator Pro before 7.3.0.6, caused by a supply-chain compromise of the vendor's build/distribution infrastructure that shipped a backdoored plugin build to customers. The injected backdoor hands unauthenticated attackers a working administrator session and beacons the site's secret keys and administrator details to attacker-controlled servers. This is a trojanized-update incident rather than a coding flaw; no public exploit is identified at time of analysis and EPSS probability is low (0.15%, 4th percentile), consistent with the threat being embedded in the code itself rather than requiring an external exploit.

WordPress Code Injection
NVD WPScan VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-12277 HIGH This Week

Arbitrary file deletion in the WordPress Frontend File Manager Plugin (versions up to and including 23.6) lets unauthenticated visitors remove any file on the server when guest upload mode is enabled, because a user-supplied file path is not validated before the delete operation. Removing critical files such as wp-config.php drops the site into its installation/setup routine, which an attacker can chain toward a complete site takeover. No public exploit is identified at time of analysis and EPSS is low (0.15%, 4th percentile), but the unauthenticated network vector and scope-changing impact make this a serious risk for exposed sites running the vulnerable configuration.

WordPress Information Disclosure PHP
NVD WPScan VulDB
CVSS 3.1
8.7
EPSS
0.1%
CVE-2026-10834 MEDIUM PATCH This Month

The WP Travel Engine WordPress plugin before 6.8.1 does not properly validate the source of a user-supplied profile image path before moving the file, allowing authenticated users with subscriber-level access and above to relocate arbitrary files within the WordPress uploads directory into their own profile-image path. This removes the targeted media from its original location and can break content across the site.

WordPress Information Disclosure
NVD WPScan VulDB
CVSS 3.1
4.6
EPSS
0.1%
CVE-2026-11328 MEDIUM This Month

Stored XSS in the Exclusive Addons for Elementor WordPress plugin (all versions up to and including 2.7.9.8) allows authenticated Contributor-level users to permanently inject arbitrary JavaScript via the post title parameter in the post-duplicator extension. The CVSS Scope:Changed metric reflects that injected payloads execute in the browser contexts of other users - including administrators - who visit affected pages, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

WordPress XSS Exclusive Addons For Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12154 MEDIUM This Month

Stored Cross-Site Scripting in the Reviews Widgets for Google, Yelp & TripAdvisor WordPress plugin (versions up to and including 2.7.3) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages by abusing the 'page_id' attribute of the [fbrev] shortcode. The injected payload executes in the browsers of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or further exploitation within the victim's browser context. No public exploit code has been identified at time of analysis, and no KEV listing is present, but the contributor-level access bar is low in multi-author WordPress deployments.

WordPress XSS Google Reviews Widgets For Google Tripadvisor Yelp Recommendations
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-6382 CRITICAL POC PATCH Act Now

The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.

WordPress Command Injection PHP Fileorganizer Advanced File Manager +2
NVD WPScan VulDB
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-12083 HIGH POC PATCH This Week

The Admin and Site Enhancements (ASE) WordPress plugin before 8.8.4, admin-site-enhancements-pro WordPress plugin before 8.8.4 does not perform authentication, authorization, or nonce checks on a role-restoration request handler, allowing unauthenticated attackers to restore a previously demoted administrator account back to the administrator role. This is an incomplete fix of CVE-2024-43333 / CVE-2025-24648, which closed the issue for only one of the demotion paths the WordPress role API exposes.

WordPress Information Disclosure Admin And Site Enhancements Ase Admin Site Enhancements Pro
NVD WPScan
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-11962 HIGH POC PATCH This Week

Authenticated remote code execution in the FileOrganizer WordPress plugin before 1.2.0 lets users granted file-manager access upload arbitrary PHP files because several file-management operations skip file-type validation. Publicly available exploit code exists, and the flaw is an incomplete fix of CVE-2024-7985, which only hardened the upload operation while leaving other file-management endpoints unvalidated. With CVSS 3.1 base 8.8 (PR:L) and a working PoC, any low-privileged account with file-manager rights - extendable to sub-administrator roles via the premium add-on - can achieve full site compromise.

WordPress RCE PHP Fileorganizer
NVD WPScan
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-11855 HIGH POC PATCH This Week

The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator.

WordPress Code Injection Simple Membership
NVD WPScan VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-11766 HIGH POC PATCH This Week

The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, including an administrator, views the affected profile.

WordPress Information Disclosure Ultimate Member
NVD WPScan VulDB
CVSS 3.1
8.0
EPSS
0.2%
CVE-2026-10830 HIGH POC PATCH This Week

The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site.

WordPress Information Disclosure Allcoach
NVD WPScan VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-6228 HIGH POC PATCH This Week

The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available.

PHP Information Disclosure WordPress Notifications For Forms Wordpress Actions
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-5137 MEDIUM This Month

Local File Inclusion in the RTMKit (rometheme-for-elementor) plugin for WordPress versions up to and including 2.0.7 allows authenticated attackers with Contributor-level access to include and execute arbitrary PHP code on the server. The render_templates AJAX endpoint passes the unsanitized 'template' parameter directly into a PHP require/include statement, restricted only to files ending in _templates.php. Wordfence reported this vulnerability; no public exploit code or CISA KEV listing is present at time of analysis.

WordPress LFI Information Disclosure PHP Rtmkit
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-11398 MEDIUM This Month

Authorization bypass in the LatePoint Calendar Booking Plugin for WordPress (all versions through 5.6.1) permits unauthenticated attackers to overwrite customer PII - first name, last name, phone number, and notes - on any existing customer record, including those associated with administrator accounts, by submitting the public booking form with a known or guessed target email address. The attack is gated by a specific non-default plugin configuration (guest bookings enabled), meaningfully narrowing the realistic exposure surface. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-4804 MEDIUM This Month

Stored Cross-Site Scripting in the Zakra WordPress theme (versions up to and including 4.2.0) allows authenticated Contributors to inject arbitrary JavaScript into site pages via the REST API. The vulnerability stems from a sanitization bypass: while the classic editor code path correctly applies sanitize_hex_color() to three menu-color post meta fields, the REST API registration omits any sanitize_callback, permitting unfiltered values to be written. Those values are later concatenated unsanitized into inline CSS and rendered on every page load, triggering stored XSS against any site visitor. No active exploitation (CISA KEV) is confirmed; a vendor-released patch is available in version 4.2.1.

WordPress XSS Zakra
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-9756 MEDIUM This Month

Stored XSS in the GenerateBlocks WordPress plugin (all versions through 2.2.1) allows contributor-level authenticated attackers to inject arbitrary JavaScript via the Headline Block's `linkMetaFieldType` dynamic link attribute, executing in the browser of any user - including site administrators - who clicks the injected headline link. The attack chains a `get_safe_user_meta_keys()` allowlist bypass with insufficient URI scheme validation to construct a fully attacker-controlled `javascript:` href. No CISA KEV listing exists at time of analysis, but Wordfence reporting and direct source code references lower the barrier to independent exploitation.

WordPress XSS Generateblocks
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-11778 MEDIUM This Month

Arbitrary shortcode execution in the CURCY Multi Currency for WooCommerce WordPress plugin (versions up to and including 2.2.14) allows unauthenticated attackers to invoke any registered WordPress shortcode by sending a crafted request to a vulnerable action handler in frontend/cache.php. The root cause is a failure to validate the shortcode value before passing it to do_shortcode(), meaning any shortcode registered on the site - including those that expose user data, perform database queries, or render sensitive page content - can be triggered without authentication. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, though the low attack complexity and zero-authentication requirement elevate practical risk above what the moderate CVSS score suggests.

Code Injection WordPress RCE Curcy Multi Currency For Woocommerce Smoothly On Woocommerce 9 X
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2026-11900 MEDIUM This Month

Insecure Direct Object Reference in the Ad Inserter WordPress plugin (versions up to and including 2.8.16) allows authenticated Contributor-level users to read the full content of arbitrary posts they do not own or have permission to view, including Private, Draft, Pending, Trashed, and password-protected posts. The flaw exists in the shortcode processing function replace_ai_tags(), which fetches post content by a user-supplied numeric ID without any authorization check, post-type restriction, or status filtering. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Ad Inserter Ad Manager Adsense Ads
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-9148 HIGH This Week

Stored cross-site scripting in the Comments - wpDiscuz WordPress plugin (versions up to and including 7.6.56) allows unauthenticated guest commenters to persist malicious script by injecting into the 'Website' field, which is later rendered unescaped by getCommentAuthor(). The stored comment_author_url is interpolated directly into single-quoted HTML attributes without esc_url() or esc_attr(), so any visitor viewing an affected comment thread executes the attacker's payload in their browser session. No public exploit identified at time of analysis, but exploitation requires no authentication and the source-level root cause is documented in the WordPress plugin trac.

WordPress XSS Comments Wpdiscuz
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-9230 MEDIUM This Month

{id}/emails endpoint then honors that nonce without an ownership check. Attackers exploiting this can overwrite victim quiz result pages and redirect quiz notification emails to attacker-controlled addresses - a vector for targeted phishing against quiz respondents. No public exploit or CISA KEV listing has been identified at time of analysis, but the Wordfence disclosure includes direct source-code references that substantially lower the barrier to exploitation.

Authentication Bypass WordPress Quiz And Survey Master Qsm Easy Quiz And Survey Maker
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-8351 MEDIUM This Month

Stored Cross-Site Scripting in RTMKit (rometheme-for-elementor) versions up to and including 2.0.7 allows authenticated contributors to persist arbitrary JavaScript in WordPress pages via the Advanced Heading widget's 'Background Text' field. The root cause is the direct concatenation of the user-controlled `background_text_heading` setting into an HTML attribute inside the widget's `render()` function without applying WordPress's `esc_attr()` sanitization, reported by Wordfence. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, but the contributor-level access prerequisite makes this realistically exploitable on multi-author or open-registration WordPress sites.

WordPress XSS Rtmkit
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-9180 MEDIUM This Month

Unauthenticated booking data tampering in MotoPress Appointment Booking for WordPress (all versions ≤ 2.4.4) allows remote attackers to overwrite the customer name, email, phone number, and customer_id of any victim booking that has not yet been confirmed. The REST endpoint POST /motopress/appointment/v1/bookings is registered with permission_callback set to '__return_true', bypassing all WordPress capability checks, and the createBooking handler blindly trusts an attacker-supplied payment_details.booking_id to load and persist an existing booking without any ownership verification (CWE-639). No public exploit code or CISA KEV listing is confirmed at time of analysis, but the attack is trivially executable by any unauthenticated network attacker given the also-public booking enumeration endpoint.

Authentication Bypass WordPress PHP Motopress Appointment Booking
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-8892 MEDIUM This Month

Stored cross-site scripting in the CM Business Directory WordPress plugin (all versions ≤ 1.5.7) allows contributor-level authenticated users to persist arbitrary JavaScript in business listing address meta fields, executing against any visitor who loads the affected page. The vulnerability exploits a structural gap in WordPress's permission model: because the payload is written to post meta rather than post_content, the platform's native unfiltered_html capability check never fires, giving low-privilege contributors an injection vector that WordPress's architecture was designed to prevent. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, though Wordfence has published full technical details including exact vulnerable code line references and an upstream fix commit.

WordPress XSS Cm Business Directory Optimise And Showcase Local Business
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-9626 MEDIUM This Month

Stored Cross-Site Scripting in the JSON API User WordPress plugin (versions ≤ 4.1.0) allows authenticated attackers with subscriber-level or higher access to inject persistent JavaScript via the `content` parameter of the `post_comment` API endpoint. The plugin's `post_comment()` function passes attacker-controlled `comment_content` directly to WordPress's native `wp_insert_comment()` without any HTML sanitization, and a compounding design flaw permits callers to supply `comment_approved=1` to self-approve comments and entirely bypass the WordPress moderation queue. No public exploit code or CISA KEV listing is confirmed at time of analysis; however, the CVSS scope-change flag (S:C) and low authentication barrier make this a meaningful risk on any site permitting open user registration.

WordPress XSS Json Api User
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-11397 MEDIUM This Month

Server-Side Request Forgery in WP Import Export Lite (all versions ≤ 3.9.30) allows authenticated administrators to bypass WordPress's native SSRF protections and reach internal network resources, including cloud instance metadata endpoints. The bypass exploits a design flaw: when WordPress's wp_safe_remote_get() correctly blocks a private-range URL and returns a WP_Error, the plugin's Download::download_file() method interprets that error as a cue to retry the original attacker-supplied URL via GuzzleHttp with no filtering and TLS verification disabled. No public exploit is identified at time of analysis and no CISA KEV listing exists, but the cloud credential theft scenario on hosted WordPress environments elevates practical impact beyond the 5.5 base score.

WordPress SSRF Wp Import Export Lite
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-9725 CRITICAL Act Now

Arbitrary file deletion in the Printcart Web to Print Product Designer for WooCommerce WordPress plugin (versions up to and including 2.5.2) lets unauthenticated attackers delete any file on the server, potentially escalating to remote code execution. The store_design_data() function builds a filesystem path from the attacker-controlled 'nbd_item_key' POST value and the nonce guarding the AJAX action can be freely retrieved by anonymous users, so exploitation needs no login. No public exploit has been identified at time of analysis, but the network-reachable, no-privilege profile makes this a high-priority patch.

WordPress Path Traversal RCE Printcart Web To Print Product Designer For Woocommerce
NVD VulDB
CVSS 3.1
9.1
EPSS
0.7%
CVE-2026-13040 HIGH This Week

Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the 'real_val__' form-submission parameter, which later executes in the browser of any user who views the affected page. The flaw is amplified by a design weakness: the submission handler is registered through wp_ajax_nopriv_submit_nex_form with no nonce/CSRF verification, so no authentication or valid session is required to reach the vulnerable sink. There is no public exploit identified at time of analysis and no CISA KEV listing, but the unauthenticated, network-reachable nature makes it a practical mass-exploitation candidate against exposed WordPress sites.

WordPress XSS CSRF Nex Forms Ultimate Forms Plugin For Wordpress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-8489 MEDIUM This Month

Stored Cross-Site Scripting in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) permits any subscriber-level authenticated attacker to inject persistent malicious JavaScript via the 'about_me' profile field, which then executes in the browser of any user - including site administrators - who views the compromised profile page. The scope-changed CVSS vector (S:C, PR:L) reflects that the low barrier to obtaining a subscriber account combined with cross-origin script execution can escalate to full site compromise if an administrator's session is hijacked. No public exploit code or CISA KEV listing has been identified at time of analysis, though the attack is low-complexity once a subscriber account is obtained.

WordPress XSS Ultimate Member User Profile Registration Login Member Directory Content Restriction Membership Plugin
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-14352 HIGH This Week

Arbitrary file read in the AR for WooCommerce WordPress plugin (all versions through 8.40) lets unauthenticated attackers traverse directories via the 'file' parameter of AJAX-driven secure-download handlers, exposing wp-config.php, credentials, and other sensitive server files. The vulnerability is notable because three independent access controls - nonce validation, AES-256-CBC payload encryption, and a Referer check - each fail on default free installations, collapsing what looks like a defended endpoint into an open file-disclosure primitive. No public exploit identified at time of analysis, but the flaw is trivially reachable and was reported by Wordfence.

WordPress Path Traversal Ar For Woocommerce
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-12557 MEDIUM This Month

Authorization bypass in the Ninja Forms - File Uploads WordPress plugin (all versions through 3.3.29) allows unauthenticated remote attackers to read all plugin debug log entries stored in the wp_nf3_log database table or permanently delete every row from that table. The flaw originates from the plugin's failure to verify whether a requesting user holds any authorization before processing debug log actions, as confirmed by Wordfence with a direct reference to the vulnerable DebugLog.php route. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Ninja Forms File Uploads
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-14327 HIGH This Week

Arbitrary file disclosure in the AR for WordPress plugin (versions up to and including 8.40) lets unauthenticated remote attackers read any file the web server can access via a path-traversal payload in the 'file' parameter of its secure-download handler. Exploitation is gated by a nonce and encryption-key check, but both can be satisfied remotely on default free or unlicensed installations, exposing wp-config.php and other secrets. No public exploit identified at time of analysis and the flaw is not in CISA KEV, though the vendor (Wordfence) documents the full unauthenticated bypass path.

WordPress Path Traversal Ar For Wordpress
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-12731 MEDIUM This Month

Stored Cross-Site Scripting in the weDocs WordPress plugin (versions through 2.3.0) allows authenticated contributors to persist malicious JavaScript in documentation pages by injecting arbitrary values into the 'sectionTitleTag' and 'articleTitleTag' Gutenberg block attributes, which are rendered without sanitization or output escaping in Sidebar block render.php. Any WordPress user who subsequently visits an injected documentation page will execute the attacker's script in their browser context, enabling session hijacking, credential harvesting, or defacement. No public exploit code or CISA KEV listing has been identified, but the low privilege bar (contributor) makes this accessible to a broad class of authenticated WordPress users.

WordPress XSS Wedocs
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12920 MEDIUM This Month

SQL injection in the Cookie Banner for GDPR/CCPA - WPLP Cookie Consent WordPress plugin (all versions up to and including 4.3.5) enables authenticated administrators to append arbitrary SQL clauses to existing queries via the unescaped 's' search parameter in the admin data-request table interface. The vulnerable code spans at least four distinct query paths in class-wpl-data-req-table.php (lines 322, 377, 492, and 513), each failing to sanitize or properly prepare user-supplied input before use in database queries. No public exploit or CISA KEV listing has been identified at time of analysis; the high privilege requirement (WordPress administrator) substantially constrains real-world attack surface.

WordPress SQLi Cookie Banner For Gdpr Ccpa Wplp Cookie Consent
NVD
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-12729 MEDIUM This Month

Missing authorization on the BetterDocs-to-weDocs migration AJAX endpoint in the weDocs WordPress plugin (versions up to and including 2.3.0) allows any authenticated subscriber-level user to trigger a full data migration, manipulate documentation content, alter site options, and forcibly deactivate installed BetterDocs and BetterDocs Pro plugins. The vulnerable `do_migration()` function registered under the `wedocs_migrate_betterdocs_to_wedocs` AJAX action performs neither a nonce check via `check_ajax_referer()` nor a privilege check via `current_user_can()`, exposing sensitive administrative operations to the lowest authenticated user tier. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Authentication Bypass WordPress Wedocs
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12734 MEDIUM This Month

Stored Cross-Site Scripting in the weDocs WordPress plugin (all versions through 2.3.0) allows authenticated contributors to inject persistent malicious scripts via the unsanitized 'connectorWidth' block attribute in the Sidebar block renderer (render.php lines 138 and 161). Any site visitor loading an affected documentation page triggers the payload in their browser, enabling session hijacking, credential harvesting, or malicious redirects. No active exploitation is confirmed in CISA KEV and no public exploit has been identified at time of analysis, though the attack technique is low-complexity for anyone with block editor knowledge.

WordPress XSS Wedocs
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-7311 HIGH This Week

Arbitrary file deletion in the TinyPNG (JPEG, PNG & WebP image compression) plugin for WordPress affects all versions through 3.6.13, allowing authenticated attackers with author-level access or higher to delete any file the web server can reach. Because deleting sensitive files such as wp-config.php pushes the site into a fresh-install state, this file-deletion primitive can be escalated to full remote code execution. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but it was disclosed by Wordfence with a clear exploitation path and carries a CVSS 8.1 (High).

WordPress Path Traversal RCE PHP Tinypng Jpeg Png Webp Image Compression
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2026-5524 CRITICAL Act Now

Arbitrary file upload leading to remote code execution in the Divi Form Builder WordPress plugin (versions through 5.1.8) lets unauthenticated attackers upload executable PHP files and run arbitrary code on the server. Attacker-controlled input from the acceptFileTypes POST parameter is interpolated directly into the file-validation regex in do_image_upload(), allowing alternate PHP extensions (.phtml, .phar, .php5, .php7) that evade the plugin's .php-only .htaccess block - and on Nginx the .htaccess protection does not apply at all. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the CVSS 9.8 rating and Wordfence's technical disclosure make this a high-priority patching target.

WordPress Nginx PHP RCE File Upload +1
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-57758 HIGH This Week

Stored cross-site scripting via cross-site request forgery affects the Permalink Manager for WooCommerce WordPress plugin in all versions up to and including 1.0.8.2. Because the plugin fails to validate request authenticity (CWE-352), an unauthenticated attacker who lures a logged-in administrator into loading a malicious page can forge a state-changing request that persists attacker-controlled script into the site, which later executes in the admin context. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV; the CVSS 3.1 base score is 7.1 with a scope change reflecting the CSRF-to-stored-XSS impact.

WordPress CSRF Permalink Manager For Woocommerce
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-57753 MEDIUM This Month

Unauthenticated sensitive data exposure in the Kit (formerly ConvertKit) for WooCommerce WordPress plugin versions 2.1.5 and below allows remote unauthenticated attackers to access sensitive information without any credentials or user interaction. The vulnerability is classified under CWE-497, indicating the plugin inadvertently surfaces system or application-level sensitive data to an unauthorized control sphere - likely including API keys, subscriber data, or configuration secrets tied to the Kit email marketing integration. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress Information Disclosure Kit Formerly Convertkit For Woocommerce
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57685 MEDIUM This Month

Broken access control in Martfury WooCommerce Marketplace WordPress Theme (versions <= 3.2.8) permits authenticated subscriber-level users to invoke functionality restricted to higher-privilege roles, achieving unauthorized integrity modifications. The flaw is rooted in CWE-862 (Missing Authorization), where theme-controlled endpoints or action handlers fail to verify that the requesting user holds sufficient capabilities beyond basic authentication. No public exploit or CISA KEV listing was present in the available data at time of analysis.

Authentication Bypass WordPress Martfury Woocommerce Marketplace Wordpress Theme
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-57677 CRITICAL Act Now

Unauthenticated PHP Object Injection in the Novalnet Payment Gateway for WooCommerce WordPress plugin (versions 12.10.3 and earlier) lets remote attackers submit crafted serialized objects that the plugin deserializes, per CVSS enabling full compromise of confidentiality, integrity, and availability. The flaw is network-reachable without authentication or user interaction and carries a critical 9.8 CVSS score. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

WordPress Deserialization PHP Novalnet Payment Gateway For Woocommerce
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-57358 HIGH This Week

Reflected Cross-Site Scripting in the Customize My Account for WooCommerce WordPress plugin (versions 4.3.9 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The flaw carries a CVSS 7.1 rating driven by a scope change (S:C), meaning script execution crosses the plugin's security boundary into the wider WordPress session context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress XSS Customize My Account For Woocommerce
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57356 HIGH This Week

Reflected/stored cross-site scripting in the MC WooCommerce Wishlist WordPress plugin (also distributed as 'Smart Wishlist for MoreConvert') affects all versions up to and including 1.9.19, letting remote unauthenticated attackers inject malicious script that executes in a victim's browser after the victim interacts with a crafted link or request. The scope-changed CVSS 3.1 score of 7.1 reflects that injected script runs in the WordPress site's origin, enabling session/cookie theft or actions against other users. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

WordPress XSS Mc Woocommerce Wishlist
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57352 MEDIUM This Month

Broken authentication in VillaTheme's ALD - Dropshipping and Fulfillment for AliExpress and WooCommerce (all versions up to and including 2.2.0) permits remote unauthenticated attackers to bypass authentication controls under high-complexity conditions, yielding limited read and write access to protected plugin functionality. Assigned CVSS 3.1 score of 4.8 with AV:N/AC:H/PR:N, the high attack complexity signals that exploitation requires specific preconditions rather than a trivial request. No public exploit code or active exploitation has been identified at time of analysis, and CISA KEV listing is absent.

WordPress Information Disclosure Ald Dropshipping And Fulfillment For Aliexpress And Woocommerce
NVD
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-49779 MEDIUM This Month

Path traversal in the Tax Exempt for WooCommerce plugin (versions <= 1.9.3) by Addify enables authenticated customer-level users to read arbitrary files from the server's filesystem. The vulnerability carries a CVSS 6.5 Medium score with high confidentiality impact, as a low-privileged account (a standard customer/shopper) can traverse directory boundaries to access sensitive files such as wp-config.php containing database credentials. No public exploit code or active CISA KEV listing has been identified at time of analysis.

WordPress Path Traversal Tax Exempt For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-39448 HIGH This Week

Broken access control in the NOWPayments for WooCommerce WordPress plugin (versions <= 1.4.0) allows unauthenticated remote attackers to perform actions or modify state that should be restricted, without any authentication. The flaw stems from a missing authorization check (CWE-862) on a network-reachable endpoint, and per its CVSS 3.1 vector it affects integrity only (I:H) with no confidentiality or availability impact. No public exploit has been identified at time of analysis, though the vulnerability was cataloged by Patchstack, a specialist in WordPress plugin security research.

Authentication Bypass WordPress Nowpayments For Woocommerce
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-27402 HIGH This Week

Reflected/stored cross-site scripting in the DesignThemes 'Kids Life | Children School' WordPress theme (versions 5.2 and earlier) allows unauthenticated remote attackers to inject arbitrary web script that executes in a victim's browser when they interact with a crafted link or input. The CVSS vector (PR:N, UI:R, Scope Changed) indicates no authentication is needed but the victim must be lured into interaction, and the injected script can cross into other security contexts. No public exploit code has been identified at time of analysis, and it is not listed in CISA KEV.

WordPress XSS Kids Life Children School Wordpress
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-69156 HIGH This Week

Reflected cross-site scripting in the Kids Zone - Children WordPress Theme (versions 5.4 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser session when the victim opens a crafted link or page. The CVSS 3.1 base score is 7.1, elevated by a scope change (S:C) reflecting that injected script escapes the vulnerable theme context into the visitor's authenticated browser session. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; no EPSS value was supplied with the input.

WordPress XSS Kids Zone Children Wordpress Theme
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-69155 HIGH This Week

Reflected/unauthenticated Cross-Site Scripting in the Fitness Zone WordPress theme (versions 5.7 and earlier) by designthemes allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or request. The scope-change (S:C) rating indicates the injected script can affect resources beyond the vulnerable component, such as hijacking authenticated admin sessions. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw was reported by Patchstack.

WordPress XSS Fitness Zone Wordpress Theme
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-69154 HIGH This Week

Reflected/unauthenticated Cross-Site Scripting in the designthemes SpaLab | Beauty Salon WordPress theme (all versions up to and including 6.7) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted request or link. The CVSS 3.1 score of 7.1 reflects a scope-changing (S:C) client-side impact requiring no authentication (PR:N) but user interaction (UI:R). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not supplied in the input.

WordPress XSS Spalab Beauty Salon Wordpress Theme
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-69152 HIGH This Week

Reflected/stored Cross-Site Scripting in the Artale Wedding Photography WordPress theme (versions 2.2.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser after they follow a crafted link or load a poisoned page. Reported by Patchstack and rated CVSS 7.1 with a scope change, it primarily threatens site visitors and administrators through session/context theft rather than direct server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress XSS Artale Wedding Photography Wordpress
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-69134 HIGH This Week

Arbitrary content deletion in the Merkulove 'OpenAI Chatbot for WordPress - Helper' plugin (versions 1.1.4 and earlier) lets remote unauthenticated attackers destroy site content by invoking a plugin action that lacks an authorization check. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, A:H) confirms network-reachable, no-privilege, no-interaction exploitation with high availability impact and no confidentiality or integrity compromise. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass WordPress Openai Chatbot For Wordpress Helper
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13369 HIGH This Week

Arbitrary file read in the Ninja Forms - File Uploads WordPress add-on (versions ≤ 3.3.29) lets unauthenticated remote attackers exfiltrate any file readable by the web server. A client-supplied saveProgress flag causes the process() method to return early, so a raw attacker-controlled 'files' array reaches attach_files() and get_files_for_attachment() without upload validation, path normalization, or database record creation - an attacker-chosen file_path is then passed to wp_mail() as an email attachment guarded only by a file_exists() check. No public exploit has been identified at time of analysis; there is no CISA KEV listing and no EPSS score was supplied.

WordPress Path Traversal Ninja Forms File Uploads
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-8441 HIGH This Week

SQL injection in the WP Review Slider Pro WordPress plugin (versions up to and including 12.7.2) lets unauthenticated attackers extract arbitrary database contents through the 'notinstring' parameter of the wprp_load_more_revs AJAX action. Because the action is exposed via wp_ajax_nopriv and its required nonce is leaked to the frontend through wp_localize_script on any page rendering the plugin shortcode, anyone who can reach a public page hosting the plugin can exploit it. Reported by Wordfence with a CVSS of 7.5; no public exploit identified at time of analysis.

WordPress SQLi Wpreviewslider Com
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-9145 MEDIUM This Month

Arbitrary file copy in the Database for Contact Form 7, WPforms, Elementor Forms WordPress plugin (versions ≤ 1.5.1) exposes any file readable by the PHP process to unauthenticated network attackers. The `create_entry_el()` function accepts attacker-controlled POST data as a file path and passes it directly to PHP's `copy()`, which transparently accepts both local filesystem paths and remote URLs - enabling server file exfiltration or remote resource staging. Exploitation requires Elementor Pro to be installed and active alongside the vulnerable plugin; no public exploit or CISA KEV listing has been identified at time of analysis, though the unauthenticated network vector and high confidentiality impact make this a credible priority for mixed Elementor Pro deployments.

WordPress Path Traversal PHP Database For Contact Form 7 Wpforms Elementor Forms
NVD VulDB
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-13251 HIGH This Week

Arbitrary file disclosure in the Perfmatters WordPress performance plugin (versions ≤ 2.6.4) lets unauthenticated attackers traverse the filesystem via the 's' parameter and read sensitive server files such as wp-config.php. The flaw only surfaces in a specific non-default configuration (Local Google Fonts enabled with pretty permalinks and RSS feed links active), and there is no public exploit identified at time of analysis. Reported by Wordfence with a CVSS of 7.5 (high).

WordPress Path Traversal Google Perfmatters
NVD VulDB
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-14029 MEDIUM This Month

SQL Injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin (all versions through 4.5.8) enables authenticated attackers with the view_contacts capability to append arbitrary SQL to existing database queries via the unsanitized 'select' parameter, resulting in full database read access. The flaw spans multiple code paths - db/query/query.php (lines 228 and 427), db/db.php (line 1366), and api/v4/base-object-api.php (line 505) - confirmed in both the 4.5.7 and 4.5.8 tagged releases by Wordfence. No public exploit code or CISA KEV listing has been identified at time of analysis, though the vulnerable code is publicly browsable in the WordPress plugin repository, materially lowering the barrier for exploit development.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-10104 MEDIUM This Month

Stored Cross-Site Scripting in the Product Video Gallery for WooCommerce WordPress plugin (versions ≤ 1.5.1.8) allows authenticated shop managers to persist malicious JavaScript via the custom_thumbnail parameter, which then executes in the browsers of any visitor accessing an affected product page. The CVSS scope-change flag (S:C) confirms the injected payload crosses security boundaries from the attacker's session into victims' browser contexts. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog, but the PR:H requirement is the primary limiting factor for real-world risk - any compromise of a shop manager account would make this trivially exploitable.

WordPress XSS Product Video Gallery For Woocommerce
NVD
CVSS 3.1
4.4
EPSS
0.3%
CVE-2026-13252 MEDIUM This Month

Stored Cross-Site Scripting in the Feedzy RSS Aggregator WordPress plugin (all versions through 5.2.1) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the unsanitized 'aspectRatio' attribute of the RSS feed block. When any user - including site administrators - visits a page containing the injected content, the payload executes in their browser, enabling session hijacking, credential theft, or privilege escalation to full site control. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis, but the low privilege bar (contributor) and scope change to administrator sessions make this a meaningful risk for multi-author WordPress deployments.

WordPress XSS Rss Aggregator By Feedzy Feed To Post Autoblogging News Youtube Video Feeds Aggregator
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2026-12472 MEDIUM This Month

Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.11) enables unauthenticated remote attackers to trigger arbitrary HTML-injected emails to any registered user via the site's own mail infrastructure. Because the email is dispatched through the site's authenticated SMTP path, it inherits the domain's SPF and DKIM reputation, substantially increasing phishing credibility. Critically, attackers can embed a genuine, site-generated WordPress password-reset URL for the target account inside an attacker-controlled HTML body, creating a highly convincing credential-harvesting lure. No public exploit or CISA KEV listing is confirmed at time of analysis.

Authentication Bypass WordPress Kirki Freeform Page Builder Website Builder Customizer
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-11896 MEDIUM This Month

Insecure Direct Object Reference in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.14) exposes non-public, draft, trashed, and personal calendar events to unauthenticated remote attackers via the 'vcal' iCalendar export endpoint. By enumerating integer occurrence IDs in the 'vcal' parameter, an attacker can retrieve full iCalendar exports containing event titles, descriptions, dates, locations, organizer and host details, permalinks, and related calendar metadata that site owners explicitly withheld from public view. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and zero authentication requirement make opportunistic enumeration trivially feasible.

Authentication Bypass WordPress My Calendar Accessible Event Manager
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-12134 MEDIUM This Month

Authorization bypass in the JoomSport WordPress plugin (all versions through 5.7.8) permits any subscriber-level authenticated user to create arbitrary season groups or tamper with group names, participant records, and round-type options - sports league data that site administrators should exclusively control. The flaw, identified by Wordfence and rooted in CWE-862 (Missing Authorization), is exploitable by any registered WordPress user who can load a page rendering a JoomSport shortcode to harvest a required nonce. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; the CVSS 4.3 Medium score accurately reflects a bounded, integrity-only impact with no path to code execution or privilege escalation.

Authentication Bypass WordPress Joomsport For Sports
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2026-12122 MEDIUM This Month

Unauthenticated sensitive information exposure in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions through 6.0.11) permits any remote attacker to retrieve the full builder metadata and rendered HTML of any kirki_symbol post - including unpublished drafts - by issuing a crafted AJAX request with a sequential WordPress post ID. The root cause is a missing authorization check (CWE-862) in the get_single_symbol AJAX handler registered in includes/Ajax.php, confirmed by Wordfence. No active exploitation is confirmed in CISA KEV, and no EPSS data was provided, but the trivially automatable nature of post ID enumeration against an unauthenticated network endpoint elevates practical risk above the raw CVSS 5.3 score suggests.

Authentication Bypass WordPress Information Disclosure Kirki Freeform Page Builder Website Builder Customizer
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-13459 MEDIUM This Month

Unauthorized wp_postmeta enumeration in JetFormBuilder (WordPress plugin, all versions through 3.6.3) allows unauthenticated remote attackers to extract arbitrary post meta values - including WooCommerce billing PII, payment tokens, and third-party plugin credentials - by exploiting a missing authorization check in the plugin's REST API generator endpoint. The flaw exists in the get_from_db generator function, which returns database values without verifying whether the requesting user is permitted to access them. No public exploit has been identified at time of analysis, but the attack is trivially executable against any site where a published JetFormBuilder form with a get_from_db field exists, as all required parameters (form ID, field name, generator ID) are discoverable by browsing the site's public forms.

Authentication Bypass WordPress Jetformbuilder Dynamic Blocks Form Builder
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2026-9834 HIGH This Week

Authenticated OS command injection in the WP Database Backup plugin for WordPress (all versions up to and including 7.11) lets administrator-level users execute arbitrary operating system commands on the underlying server, escalating a WordPress admin foothold into full host RCE. The flaw stems from the wp_db_exclude_table POST parameter being concatenated unescaped into the mysqldump shell command; the injection is stored, so payloads persist in the options table and fire whenever a backup runs. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.

Command Injection WordPress RCE PHP Wp Database Backup Unlimited Database Files Backup By Backup For Wp
NVD
CVSS 3.1
7.2
EPSS
2.7%
CVE-2026-12657 MEDIUM This Month

Insecure Direct Object Reference in LatePoint Calendar Booking Plugin for WordPress (all versions ≤ 5.6.2) enables unauthenticated attackers to create approved bookings against services explicitly restricted to administrators and agents. The bypass operates through two publicly accessible booking step endpoints that accept a user-controlled service identifier without validating the requester's authorization to book that service. No public exploit code or CISA KEV listing has been identified, but the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms trivially exploitable, zero-barrier network access against default plugin configurations that utilize service-level access restrictions.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2026-9188 MEDIUM This Month

Unauthenticated appointment cancellation and rescheduling in the Wappointment WordPress plugin (all versions ≤ 2.7.6) is possible because the sole authorization token - the `edit_key` - is a predictable, unsalted MD5 hash of three fully derivable inputs: a sequential integer `client_id`, a publicly observable appointment timestamp `start_at`, and an enumerable integer `staff_id`. The unauthenticated REST endpoints for `tryCancel()` perform no ownership or identity verification beyond matching this reconstructible key, meaning any network attacker who books one appointment can calibrate the sequential ID space and compute valid keys for other users' appointments. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the attack requires only standard HTTP tooling and basic scripting against any site with cancellation or rescheduling features enabled.

Authentication Bypass WordPress Appointment Bookings For Zoom Googlemeet And More Wappointment
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-5821 HIGH This Week

Arbitrary file deletion in the Image Optimizer plugin for WordPress (versions up to and including 1.7.4) lets an authenticated attacker with Author-level access or higher delete any file the web server can write to, potentially causing denial of service, data loss, or removal of security-relevant files such as wp-config.php. The flaw stems from the plugin trusting attacker-controllable backup paths stored in post meta. This was reported by Wordfence; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

WordPress Denial Of Service
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-5348 MEDIUM This Month

Unauthenticated curriculum exposure in the Academy LMS WordPress plugin (versions ≤ 3.8.1) allows any internet user to retrieve detailed topic and lesson structures from courses explicitly protected by private, draft, scheduled, or password-protected post statuses. The root cause is the plugin's '/topics' REST API endpoint registering with '__return_true' as its permission callback, entirely bypassing WordPress's built-in post visibility and enrollment enforcement. No exploit code has been publicly identified and the vulnerability is not listed in CISA KEV, but the zero-complexity network vector makes automated course ID enumeration trivially scriptable with standard HTTP tools.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-14249 HIGH This Week

Unauthenticated code injection in the Request a Quote plugin for WordPress (versions up to and including 2.5.5) lets remote attackers invoke arbitrary zero-argument PHP functions on the server through the emd_delete_file AJAX action. Because the handler is registered for wp_ajax_nopriv and derives a callable function name from the attacker-controlled $_POST['path'] parameter, an attacker can trigger functions such as phpinfo() to expose server configuration and credentials, or destructive built-in functions. No public exploit identified at time of analysis, but the nonce that is the sole gatekeeper is printed directly into the public quote-form page, effectively neutralizing it.

WordPress RCE PHP
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13704 MEDIUM This Month

Stored Cross-Site Scripting in GiveWP (WordPress Donation Plugin and Fundraising Platform) versions up to and including 4.16.1 allows authenticated attackers holding the Give Worker role or above to inject persistent malicious scripts via the Sequoia form template's introduction image parameter. The CVSS Scope:Changed rating reflects that injected payloads execute in the security context of any victim browser that loads the affected donation page, enabling session hijacking or credential theft from site visitors and administrators alike. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-13357 MEDIUM This Month

SQL injection in the Houzez Property Feed WordPress plugin (versions up to and including 2.5.46) permits authenticated administrators to exfiltrate arbitrary data from the underlying WordPress database by manipulating the `orderby` GET parameter on admin log pages. The root cause is a `$wpdb->prepare()` misuse pattern: user-supplied `$_GET['orderby']` and `$_GET['order']` values are filtered only with `sanitize_text_field()` - which does not neutralize SQL metacharacters - then concatenated directly into the SQL format string before `prepare()` is invoked, meaning prepare() only parameterizes the trailing LIMIT/OFFSET clause and cannot retroactively secure the already-tainted ORDER BY clause. No public exploit has been identified at time of analysis, and the high privilege requirement (WordPress Administrator) significantly constrains the realistic attacker pool.

WordPress SQLi
NVD VulDB
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-11965 MEDIUM PATCH This Month

Payment enforcement bypass in the User Registration & Membership WordPress plugin before 5.2.0 allows any visitor to self-register a free account and then activate a paid membership subscription without completing payment, gaining unauthorized access to gated premium content. The flaw is a business logic failure: the plugin activates the paid plan upon subscription initiation rather than upon confirmed payment receipt. No public exploit or CISA KEV listing exists at time of analysis, but exploitation is trivially low-effort given the plugin's open registration model and the CVSS vector of AV:N/AC:L/PR:N/UI:N.

WordPress Information Disclosure
NVD WPScan VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-11781 LOW PATCH Monitor

Broken access control in the Adminify WordPress plugin before 4.2.10 allows authenticated Contributor-level users to enumerate sensitive site data through an administration search feature that omits per-user read-capability checks. Affected data includes other authors' unpublished post titles, pending comment content, installed plugin inventory, and registered user account names - all information WordPress's native capability model would otherwise restrict. No public exploit has been identified at time of analysis, and a vendor-released patch is available at version 4.2.10.

WordPress Information Disclosure
NVD WPScan VulDB
CVSS 3.1
2.7
EPSS
0.1%
CVE-2026-11600 MEDIUM This Month

Private content disclosure in the Envo's Templates & Widgets for Elementor and WooCommerce WordPress plugin (versions up to and including 1.4.26) allows authenticated attackers with Author-level access to expose private or draft Elementor-rendered pages and templates to anonymous visitors. The flaw is rooted in the Tabs and Off Canvas widgets passing a user-supplied post ID directly to Elementor's get_builder_content_for_display() without any post-status or capability check, meaning the rendered output of restricted content is served publicly once an Author configures the widget. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, making this a lower-urgency but real information-disclosure risk for WordPress sites with multiple or untrusted Author-level users.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-11592 MEDIUM This Month

Authorization bypass in the Email Subscribers & Newsletters WordPress plugin (all versions through 5.9.27) allows contributor-level authenticated users to hijack the site's email infrastructure - overwriting sender identity, creating mailing lists, injecting arbitrary contacts, and dispatching mass email to arbitrary external recipients. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity, network-accessible exploitation requiring only a contributor account, which is commonly available on multi-author WordPress sites. No public exploit code has been identified at time of analysis, but the abuse potential - mass phishing campaigns sent through a trusted domain's authenticated mail relay - materially exceeds what the 4.3 CVSS score implies.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-11578 LOW PATCH Monitor

Broken access control in Fluent Forms WordPress plugin before 6.2.5 allows a restricted Manager role to permanently delete form submission entries belonging to forms outside their authorized scope. The flaw stems from missing authorization checks on the deletion endpoint, which fails to verify that the target submission belongs to a form the Manager is permitted to administer. This affects only installations where an administrator has explicitly created a restricted Manager account tied to specific forms - no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

WordPress Information Disclosure
NVD WPScan VulDB
CVSS 3.1
2.7
EPSS
0.1%
CVE-2026-10089 MEDIUM This Month

Stored Cross-Site Scripting in the Insert Pages WordPress plugin (versions through 3.11.4) allows authenticated attackers with author-level access to persist arbitrary JavaScript via post custom field key names. The vulnerability arises because the `the_meta()` function applies `wp_kses_post()` to custom field values but interpolates the custom field KEY directly into rendered HTML without any escaping, exploitable only when the `[insert page='ID' display='all']` shortcode is used. Any visitor loading a page containing the shortcode will execute the attacker's payload in their browser, enabling session hijacking or credential theft; no public exploit identified at time of analysis.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-10077 MEDIUM PATCH This Month

Stored XSS in the yootheme WordPress theme before version 5.0.35 enables users holding the Author role to inject persistent malicious scripts into posts by exploiting a sanitization gap between WordPress's wp_kses_post() filter and the theme's bundled front-end framework, which interprets certain permitted HTML attributes as executable markup. Any visitor - including site administrators - who views an affected post triggers script execution in their browser, creating a realistic privilege escalation path on multi-author WordPress sites. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; vendor patch version 5.0.35 is confirmed via WPScan advisory.

WordPress XSS
NVD WPScan VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-12142 HIGH This Week

Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the '_name[]' array parameter, which then runs in the browser of any user who views the injected page. The flaw is notable because the plugin's own wp_kses() allow-list (NEXForms_allowed_tags()) deliberately whitelists <script>, <iframe src/srcdoc>, and JS event handlers, so the normal output-filtering layer provides no protection. No public exploit identified at time of analysis; the issue was reported by Wordfence and carries a CVSS 7.2 with a changed scope.

WordPress XSS Nex Forms Ultimate Forms Plugin For Wordpress
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-13228 HIGH This Week

Privilege escalation to Administrator in the LatePoint booking plugin for WordPress (versions up to and including 5.6.3) lets an authenticated Agent-level user hijack any WordPress account by abusing an Insecure Direct Object Reference in OsOrdersController::create_or_update(). By supplying an arbitrary order[customer_id], an attacker overwrites the email of any LatePoint customer - including one tied to a WordPress Administrator - and then logs in as that user because OsAuthHelper::authorize_customer() never checks the linked account's role. Reported by Wordfence and rated CVSS 8.8; no public exploit identified at time of analysis and it is not on CISA KEV, though the root-cause code paths are pinpointed in public plugin source.

Privilege Escalation WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
8.8
EPSS
0.3%
EPSS 1% CVSS 9.1
CRITICAL Act Now

Arbitrary file deletion in the Simple Coherent Form WordPress plugin (all versions up to and including 2.4.13) allows unauthenticated attackers to delete any file the web server can reach, and deleting wp-config.php can cascade into full remote code execution. The plugin's two intended access controls are illusory: the scf_get_id_upload endpoint hands a valid scf_upload_file_removal nonce to any anonymous visitor, and the secondary hash check can be reproduced offline because it derives from a salt hardcoded in the plugin source. There is no public exploit identified at time of analysis, but the flaw carries a high 9.1 CVSS and reflects a genuine unauthenticated-network attack path.

WordPress Path Traversal RCE +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Account takeover in the Eventer WordPress event-manager plugin (all versions through 4.4.2) stems from the plugin writing the password-reset key in cleartext to the `eventer_verification_code` field in `wp_usermeta`; any actor who can read that value can drive the plugin's custom reset action to set an arbitrary password for any user, including administrators. Chained with the companion SQL injection flaw CVE-2026-9700, remote attackers can extract the stored key without authentication and fully hijack accounts. There is no public exploit identified at time of analysis, and exploitation is constrained to sites running PHP 7.4 or earlier, where the reset routine functions.

WordPress SQLi PHP +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Duoshuo (多说社会化评论框) social commenting plugin for WordPress (all versions through 1.2) lets remote attackers seize full administrator control. An unauthenticated, web-accessible API endpoint (api.php/LocalServer.php) exposes an `update_option` handler that lacks capability and nonce checks and relies on a trivially forgeable HMAC-SHA1 signature keyed on an always-empty option, allowing attackers to overwrite any WordPress option - for example flipping `default_role` to `administrator` and enabling open registration, then self-registering an admin account. No public exploit is identified at time of analysis, and it is not in CISA KEV, but the flaw is straightforward to weaponize.

Privilege Escalation WordPress
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution in the Widget Logic Visual WordPress plugin (all versions through 1.52) lets low-privileged authenticated users run arbitrary PHP on the server. The flaw stems from the widget-logic-update-conditional-tags AJAX action lacking a capability check and nonce verification, allowing any subscriber-and-above account to store attacker-controlled data in the 'nwlv[cod-tag]' parameter that is later passed to an eval() call by widget_logic_visual_check_visibility. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.

WordPress RCE File Upload +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Privilege escalation in the Pixelgrade Backstage - Customizer Demo Access plugin for WordPress (all versions through 1.4.2) lets unauthenticated attackers modify arbitrary site options. The plugin grants the overly broad `manage_options` capability to its `backstage_customizer_user` demo role, so an attacker reaching the demo flow can change settings such as `default_role` and escalate to a privileged account. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation WordPress Backstage Customizer Demo Access
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file disclosure in the Jssor Slider by jssor.com WordPress plugin (all versions through 3.1.24) lets unauthenticated remote attackers traverse the filesystem via the 'url' parameter and read the contents of any file the web server can access, such as wp-config.php. Wordfence disclosed the flaw and points to the plugin's admin controller code; no public exploit is identified at time of analysis and it is not listed in CISA KEV. EPSS was not provided, but the network-reachable, unauthenticated nature of the bug makes it an attractive scanning target.

WordPress Path Traversal Jssor Slider By Jssor Com
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file write in the AMP for WP - Accelerated Mobile Pages WordPress plugin (versions up to and including 1.1.12) lets authenticated Author-level users, granted permission by an Administrator, upload and unsafely extract a crafted ZIP through the ampforwp_save_local_font() function, planting attacker-controlled files in a web-accessible uploads path. On hosts configured to execute PHP from the uploads directory, this escalates to remote code execution. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; an upstream fix is present in the plugin repository (changeset 3512870).

WordPress RCE PHP +1
NVD
EPSS 0% CVSS 9.0
CRITICAL Act Now

Remote code execution affects the DoLeads Integrator and wp2epub WordPress plugins (both versions through 0.65), which WPScan reports have been observed being leveraged to run arbitrary code on a blog once installed. The plugins are reachable via a broader flaw that lets unauthorized users install 'unclosed'/withdrawn extensions from the wordpress.org repository, turning plugin installation into a code-execution primitive. No public exploit has been identified at time of analysis, and EPSS remains very low (0.15%, 5th percentile), indicating no observed widespread exploitation despite the high CVSS.

WordPress Authentication Bypass
NVD WPScan VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Remote code execution in the WPFunnels (Funnel Builder for WooCommerce) WordPress plugin versions up to and including 3.12.7 lets attackers write attacker-controlled 'postData' into a PHP-includeable .log file that wpfnl_show_log later renders with include_once, yielding server-side code execution. The initial injection is fully unauthenticated because the nonce guarding the optin endpoint is publicly emitted on every funnel step page, though execution only fires once an administrator opens the poisoned log via the Log Settings View while the 'Enable Logs' toggle is active. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the pre-auth injection combined with a maximal 9.8 CVSS score makes it a high-priority patch for any exposed WooCommerce funnel deployment.

WordPress RCE File Upload
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Full site takeover of WordPress installations running Uncanny Automator Pro before 7.3.0.6, caused by a supply-chain compromise of the vendor's build/distribution infrastructure that shipped a backdoored plugin build to customers. The injected backdoor hands unauthenticated attackers a working administrator session and beacons the site's secret keys and administrator details to attacker-controlled servers. This is a trojanized-update incident rather than a coding flaw; no public exploit is identified at time of analysis and EPSS probability is low (0.15%, 4th percentile), consistent with the threat being embedded in the code itself rather than requiring an external exploit.

WordPress Code Injection
NVD WPScan VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Arbitrary file deletion in the WordPress Frontend File Manager Plugin (versions up to and including 23.6) lets unauthenticated visitors remove any file on the server when guest upload mode is enabled, because a user-supplied file path is not validated before the delete operation. Removing critical files such as wp-config.php drops the site into its installation/setup routine, which an attacker can chain toward a complete site takeover. No public exploit is identified at time of analysis and EPSS is low (0.15%, 4th percentile), but the unauthenticated network vector and scope-changing impact make this a serious risk for exposed sites running the vulnerable configuration.

WordPress Information Disclosure PHP
NVD WPScan VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

The WP Travel Engine WordPress plugin before 6.8.1 does not properly validate the source of a user-supplied profile image path before moving the file, allowing authenticated users with subscriber-level access and above to relocate arbitrary files within the WordPress uploads directory into their own profile-image path. This removes the targeted media from its original location and can break content across the site.

WordPress Information Disclosure
NVD WPScan VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the Exclusive Addons for Elementor WordPress plugin (all versions up to and including 2.7.9.8) allows authenticated Contributor-level users to permanently inject arbitrary JavaScript via the post title parameter in the post-duplicator extension. The CVSS Scope:Changed metric reflects that injected payloads execute in the browser contexts of other users - including administrators - who visit affected pages, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

WordPress XSS Exclusive Addons For Elementor
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Reviews Widgets for Google, Yelp & TripAdvisor WordPress plugin (versions up to and including 2.7.3) allows authenticated attackers with contributor-level access to inject persistent malicious scripts into pages by abusing the 'page_id' attribute of the [fbrev] shortcode. The injected payload executes in the browsers of any user who subsequently visits the affected page, enabling session hijacking, credential theft, or further exploitation within the victim's browser context. No public exploit code has been identified at time of analysis, and no KEV listing is present, but the contributor-level access bar is low in multi-author WordPress deployments.

WordPress XSS Google +1
NVD VulDB
EPSS 1% CVSS 9.1
CRITICAL POC PATCH Act Now

The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.

WordPress Command Injection PHP +4
NVD WPScan VulDB
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

The Admin and Site Enhancements (ASE) WordPress plugin before 8.8.4, admin-site-enhancements-pro WordPress plugin before 8.8.4 does not perform authentication, authorization, or nonce checks on a role-restoration request handler, allowing unauthenticated attackers to restore a previously demoted administrator account back to the administrator role. This is an incomplete fix of CVE-2024-43333 / CVE-2025-24648, which closed the issue for only one of the demotion paths the WordPress role API exposes.

WordPress Information Disclosure Admin And Site Enhancements Ase +1
NVD WPScan
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Authenticated remote code execution in the FileOrganizer WordPress plugin before 1.2.0 lets users granted file-manager access upload arbitrary PHP files because several file-management operations skip file-type validation. Publicly available exploit code exists, and the flaw is an incomplete fix of CVE-2024-7985, which only hardened the upload operation while leaving other file-management endpoints unvalidated. With CVSS 3.1 base 8.8 (PR:L) and a working PoC, any low-privileged account with file-manager rights - extendable to sub-administrator roles via the premium add-on - can achieve full site compromise.

WordPress RCE PHP +1
NVD WPScan
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator.

WordPress Code Injection Simple Membership
NVD WPScan VulDB
EPSS 0% CVSS 8.0
HIGH POC PATCH This Week

The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, including an administrator, views the affected profile.

WordPress Information Disclosure Ultimate Member
NVD WPScan VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site.

WordPress Information Disclosure Allcoach
NVD WPScan VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available.

PHP Information Disclosure WordPress +1
NVD WPScan VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Local File Inclusion in the RTMKit (rometheme-for-elementor) plugin for WordPress versions up to and including 2.0.7 allows authenticated attackers with Contributor-level access to include and execute arbitrary PHP code on the server. The render_templates AJAX endpoint passes the unsanitized 'template' parameter directly into a PHP require/include statement, restricted only to files ending in _templates.php. Wordfence reported this vulnerability; no public exploit code or CISA KEV listing is present at time of analysis.

WordPress LFI Information Disclosure +2
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the LatePoint Calendar Booking Plugin for WordPress (all versions through 5.6.1) permits unauthenticated attackers to overwrite customer PII - first name, last name, phone number, and notes - on any existing customer record, including those associated with administrator accounts, by submitting the public booking form with a known or guessed target email address. The attack is gated by a specific non-default plugin configuration (guest bookings enabled), meaningfully narrowing the realistic exposure surface. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Zakra WordPress theme (versions up to and including 4.2.0) allows authenticated Contributors to inject arbitrary JavaScript into site pages via the REST API. The vulnerability stems from a sanitization bypass: while the classic editor code path correctly applies sanitize_hex_color() to three menu-color post meta fields, the REST API registration omits any sanitize_callback, permitting unfiltered values to be written. Those values are later concatenated unsanitized into inline CSS and rendered on every page load, triggering stored XSS against any site visitor. No active exploitation (CISA KEV) is confirmed; a vendor-released patch is available in version 4.2.1.

WordPress XSS Zakra
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the GenerateBlocks WordPress plugin (all versions through 2.2.1) allows contributor-level authenticated attackers to inject arbitrary JavaScript via the Headline Block's `linkMetaFieldType` dynamic link attribute, executing in the browser of any user - including site administrators - who clicks the injected headline link. The attack chains a `get_safe_user_meta_keys()` allowlist bypass with insufficient URI scheme validation to construct a fully attacker-controlled `javascript:` href. No CISA KEV listing exists at time of analysis, but Wordfence reporting and direct source code references lower the barrier to independent exploitation.

WordPress XSS Generateblocks
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Arbitrary shortcode execution in the CURCY Multi Currency for WooCommerce WordPress plugin (versions up to and including 2.2.14) allows unauthenticated attackers to invoke any registered WordPress shortcode by sending a crafted request to a vulnerable action handler in frontend/cache.php. The root cause is a failure to validate the shortcode value before passing it to do_shortcode(), meaning any shortcode registered on the site - including those that expose user data, perform database queries, or render sensitive page content - can be triggered without authentication. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, though the low attack complexity and zero-authentication requirement elevate practical risk above what the moderate CVSS score suggests.

Code Injection WordPress RCE +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the Ad Inserter WordPress plugin (versions up to and including 2.8.16) allows authenticated Contributor-level users to read the full content of arbitrary posts they do not own or have permission to view, including Private, Draft, Pending, Trashed, and password-protected posts. The flaw exists in the shortcode processing function replace_ai_tags(), which fetches post content by a user-supplied numeric ID without any authorization check, post-type restriction, or status filtering. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Ad Inserter Ad Manager Adsense Ads
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Comments - wpDiscuz WordPress plugin (versions up to and including 7.6.56) allows unauthenticated guest commenters to persist malicious script by injecting into the 'Website' field, which is later rendered unescaped by getCommentAuthor(). The stored comment_author_url is interpolated directly into single-quoted HTML attributes without esc_url() or esc_attr(), so any visitor viewing an affected comment thread executes the attacker's payload in their browser session. No public exploit identified at time of analysis, but exploitation requires no authentication and the source-level root cause is documented in the WordPress plugin trac.

WordPress XSS Comments Wpdiscuz
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

{id}/emails endpoint then honors that nonce without an ownership check. Attackers exploiting this can overwrite victim quiz result pages and redirect quiz notification emails to attacker-controlled addresses - a vector for targeted phishing against quiz respondents. No public exploit or CISA KEV listing has been identified at time of analysis, but the Wordfence disclosure includes direct source-code references that substantially lower the barrier to exploitation.

Authentication Bypass WordPress Quiz And Survey Master Qsm Easy Quiz And Survey Maker
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in RTMKit (rometheme-for-elementor) versions up to and including 2.0.7 allows authenticated contributors to persist arbitrary JavaScript in WordPress pages via the Advanced Heading widget's 'Background Text' field. The root cause is the direct concatenation of the user-controlled `background_text_heading` setting into an HTML attribute inside the widget's `render()` function without applying WordPress's `esc_attr()` sanitization, reported by Wordfence. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, but the contributor-level access prerequisite makes this realistically exploitable on multi-author or open-registration WordPress sites.

WordPress XSS Rtmkit
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated booking data tampering in MotoPress Appointment Booking for WordPress (all versions ≤ 2.4.4) allows remote attackers to overwrite the customer name, email, phone number, and customer_id of any victim booking that has not yet been confirmed. The REST endpoint POST /motopress/appointment/v1/bookings is registered with permission_callback set to '__return_true', bypassing all WordPress capability checks, and the createBooking handler blindly trusts an attacker-supplied payment_details.booking_id to load and persist an existing booking without any ownership verification (CWE-639). No public exploit code or CISA KEV listing is confirmed at time of analysis, but the attack is trivially executable by any unauthenticated network attacker given the also-public booking enumeration endpoint.

Authentication Bypass WordPress PHP +1
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the CM Business Directory WordPress plugin (all versions ≤ 1.5.7) allows contributor-level authenticated users to persist arbitrary JavaScript in business listing address meta fields, executing against any visitor who loads the affected page. The vulnerability exploits a structural gap in WordPress's permission model: because the payload is written to post meta rather than post_content, the platform's native unfiltered_html capability check never fires, giving low-privilege contributors an injection vector that WordPress's architecture was designed to prevent. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, though Wordfence has published full technical details including exact vulnerable code line references and an upstream fix commit.

WordPress XSS Cm Business Directory Optimise And Showcase Local Business
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the JSON API User WordPress plugin (versions ≤ 4.1.0) allows authenticated attackers with subscriber-level or higher access to inject persistent JavaScript via the `content` parameter of the `post_comment` API endpoint. The plugin's `post_comment()` function passes attacker-controlled `comment_content` directly to WordPress's native `wp_insert_comment()` without any HTML sanitization, and a compounding design flaw permits callers to supply `comment_approved=1` to self-approve comments and entirely bypass the WordPress moderation queue. No public exploit code or CISA KEV listing is confirmed at time of analysis; however, the CVSS scope-change flag (S:C) and low authentication barrier make this a meaningful risk on any site permitting open user registration.

WordPress XSS Json Api User
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Server-Side Request Forgery in WP Import Export Lite (all versions ≤ 3.9.30) allows authenticated administrators to bypass WordPress's native SSRF protections and reach internal network resources, including cloud instance metadata endpoints. The bypass exploits a design flaw: when WordPress's wp_safe_remote_get() correctly blocks a private-range URL and returns a WP_Error, the plugin's Download::download_file() method interprets that error as a cue to retry the original attacker-supplied URL via GuzzleHttp with no filtering and TLS verification disabled. No public exploit is identified at time of analysis and no CISA KEV listing exists, but the cloud credential theft scenario on hosted WordPress environments elevates practical impact beyond the 5.5 base score.

WordPress SSRF Wp Import Export Lite
NVD VulDB
EPSS 1% CVSS 9.1
CRITICAL Act Now

Arbitrary file deletion in the Printcart Web to Print Product Designer for WooCommerce WordPress plugin (versions up to and including 2.5.2) lets unauthenticated attackers delete any file on the server, potentially escalating to remote code execution. The store_design_data() function builds a filesystem path from the attacker-controlled 'nbd_item_key' POST value and the nonce guarding the AJAX action can be freely retrieved by anonymous users, so exploitation needs no login. No public exploit has been identified at time of analysis, but the network-reachable, no-privilege profile makes this a high-priority patch.

WordPress Path Traversal RCE +1
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the 'real_val__' form-submission parameter, which later executes in the browser of any user who views the affected page. The flaw is amplified by a design weakness: the submission handler is registered through wp_ajax_nopriv_submit_nex_form with no nonce/CSRF verification, so no authentication or valid session is required to reach the vulnerable sink. There is no public exploit identified at time of analysis and no CISA KEV listing, but the unauthenticated, network-reachable nature makes it a practical mass-exploitation candidate against exposed WordPress sites.

WordPress XSS CSRF +1
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Ultimate Member WordPress plugin (versions ≤ 2.11.4) permits any subscriber-level authenticated attacker to inject persistent malicious JavaScript via the 'about_me' profile field, which then executes in the browser of any user - including site administrators - who views the compromised profile page. The scope-changed CVSS vector (S:C, PR:L) reflects that the low barrier to obtaining a subscriber account combined with cross-origin script execution can escalate to full site compromise if an administrator's session is hijacked. No public exploit code or CISA KEV listing has been identified at time of analysis, though the attack is low-complexity once a subscriber account is obtained.

WordPress XSS Ultimate Member User Profile Registration Login Member Directory Content Restriction Membership Plugin
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary file read in the AR for WooCommerce WordPress plugin (all versions through 8.40) lets unauthenticated attackers traverse directories via the 'file' parameter of AJAX-driven secure-download handlers, exposing wp-config.php, credentials, and other sensitive server files. The vulnerability is notable because three independent access controls - nonce validation, AES-256-CBC payload encryption, and a Referer check - each fail on default free installations, collapsing what looks like a defended endpoint into an open file-disclosure primitive. No public exploit identified at time of analysis, but the flaw is trivially reachable and was reported by Wordfence.

WordPress Path Traversal Ar For Woocommerce
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the Ninja Forms - File Uploads WordPress plugin (all versions through 3.3.29) allows unauthenticated remote attackers to read all plugin debug log entries stored in the wp_nf3_log database table or permanently delete every row from that table. The flaw originates from the plugin's failure to verify whether a requesting user holds any authorization before processing debug log actions, as confirmed by Wordfence with a direct reference to the vulnerable DebugLog.php route. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Ninja Forms File Uploads
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary file disclosure in the AR for WordPress plugin (versions up to and including 8.40) lets unauthenticated remote attackers read any file the web server can access via a path-traversal payload in the 'file' parameter of its secure-download handler. Exploitation is gated by a nonce and encryption-key check, but both can be satisfied remotely on default free or unlicensed installations, exposing wp-config.php and other secrets. No public exploit identified at time of analysis and the flaw is not in CISA KEV, though the vendor (Wordfence) documents the full unauthenticated bypass path.

WordPress Path Traversal Ar For Wordpress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the weDocs WordPress plugin (versions through 2.3.0) allows authenticated contributors to persist malicious JavaScript in documentation pages by injecting arbitrary values into the 'sectionTitleTag' and 'articleTitleTag' Gutenberg block attributes, which are rendered without sanitization or output escaping in Sidebar block render.php. Any WordPress user who subsequently visits an injected documentation page will execute the attacker's script in their browser context, enabling session hijacking, credential harvesting, or defacement. No public exploit code or CISA KEV listing has been identified, but the low privilege bar (contributor) makes this accessible to a broad class of authenticated WordPress users.

WordPress XSS Wedocs
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL injection in the Cookie Banner for GDPR/CCPA - WPLP Cookie Consent WordPress plugin (all versions up to and including 4.3.5) enables authenticated administrators to append arbitrary SQL clauses to existing queries via the unescaped 's' search parameter in the admin data-request table interface. The vulnerable code spans at least four distinct query paths in class-wpl-data-req-table.php (lines 322, 377, 492, and 513), each failing to sanitize or properly prepare user-supplied input before use in database queries. No public exploit or CISA KEV listing has been identified at time of analysis; the high privilege requirement (WordPress administrator) substantially constrains real-world attack surface.

WordPress SQLi Cookie Banner For Gdpr Ccpa Wplp Cookie Consent
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization on the BetterDocs-to-weDocs migration AJAX endpoint in the weDocs WordPress plugin (versions up to and including 2.3.0) allows any authenticated subscriber-level user to trigger a full data migration, manipulate documentation content, alter site options, and forcibly deactivate installed BetterDocs and BetterDocs Pro plugins. The vulnerable `do_migration()` function registered under the `wedocs_migrate_betterdocs_to_wedocs` AJAX action performs neither a nonce check via `check_ajax_referer()` nor a privilege check via `current_user_can()`, exposing sensitive administrative operations to the lowest authenticated user tier. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Authentication Bypass WordPress Wedocs
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the weDocs WordPress plugin (all versions through 2.3.0) allows authenticated contributors to inject persistent malicious scripts via the unsanitized 'connectorWidth' block attribute in the Sidebar block renderer (render.php lines 138 and 161). Any site visitor loading an affected documentation page triggers the payload in their browser, enabling session hijacking, credential harvesting, or malicious redirects. No active exploitation is confirmed in CISA KEV and no public exploit has been identified at time of analysis, though the attack technique is low-complexity for anyone with block editor knowledge.

WordPress XSS Wedocs
NVD
EPSS 1% CVSS 8.1
HIGH This Week

Arbitrary file deletion in the TinyPNG (JPEG, PNG & WebP image compression) plugin for WordPress affects all versions through 3.6.13, allowing authenticated attackers with author-level access or higher to delete any file the web server can reach. Because deleting sensitive files such as wp-config.php pushes the site into a fresh-install state, this file-deletion primitive can be escalated to full remote code execution. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but it was disclosed by Wordfence with a clear exploitation path and carries a CVSS 8.1 (High).

WordPress Path Traversal RCE +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Arbitrary file upload leading to remote code execution in the Divi Form Builder WordPress plugin (versions through 5.1.8) lets unauthenticated attackers upload executable PHP files and run arbitrary code on the server. Attacker-controlled input from the acceptFileTypes POST parameter is interpolated directly into the file-validation regex in do_image_upload(), allowing alternate PHP extensions (.phtml, .phar, .php5, .php7) that evade the plugin's .php-only .htaccess block - and on Nginx the .htaccess protection does not apply at all. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the CVSS 9.8 rating and Wordfence's technical disclosure make this a high-priority patching target.

WordPress Nginx PHP +3
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting via cross-site request forgery affects the Permalink Manager for WooCommerce WordPress plugin in all versions up to and including 1.0.8.2. Because the plugin fails to validate request authenticity (CWE-352), an unauthenticated attacker who lures a logged-in administrator into loading a malicious page can forge a state-changing request that persists attacker-controlled script into the site, which later executes in the admin context. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV; the CVSS 3.1 base score is 7.1 with a scope change reflecting the CSRF-to-stored-XSS impact.

WordPress CSRF Permalink Manager For Woocommerce
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated sensitive data exposure in the Kit (formerly ConvertKit) for WooCommerce WordPress plugin versions 2.1.5 and below allows remote unauthenticated attackers to access sensitive information without any credentials or user interaction. The vulnerability is classified under CWE-497, indicating the plugin inadvertently surfaces system or application-level sensitive data to an unauthorized control sphere - likely including API keys, subscriber data, or configuration secrets tied to the Kit email marketing integration. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress Information Disclosure Kit Formerly Convertkit For Woocommerce
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Broken access control in Martfury WooCommerce Marketplace WordPress Theme (versions <= 3.2.8) permits authenticated subscriber-level users to invoke functionality restricted to higher-privilege roles, achieving unauthorized integrity modifications. The flaw is rooted in CWE-862 (Missing Authorization), where theme-controlled endpoints or action handlers fail to verify that the requesting user holds sufficient capabilities beyond basic authentication. No public exploit or CISA KEV listing was present in the available data at time of analysis.

Authentication Bypass WordPress Martfury Woocommerce Marketplace Wordpress Theme
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the Novalnet Payment Gateway for WooCommerce WordPress plugin (versions 12.10.3 and earlier) lets remote attackers submit crafted serialized objects that the plugin deserializes, per CVSS enabling full compromise of confidentiality, integrity, and availability. The flaw is network-reachable without authentication or user interaction and carries a critical 9.8 CVSS score. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

WordPress Deserialization PHP +1
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected Cross-Site Scripting in the Customize My Account for WooCommerce WordPress plugin (versions 4.3.9 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The flaw carries a CVSS 7.1 rating driven by a scope change (S:C), meaning script execution crosses the plugin's security boundary into the wider WordPress session context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress XSS Customize My Account For Woocommerce
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored cross-site scripting in the MC WooCommerce Wishlist WordPress plugin (also distributed as 'Smart Wishlist for MoreConvert') affects all versions up to and including 1.9.19, letting remote unauthenticated attackers inject malicious script that executes in a victim's browser after the victim interacts with a crafted link or request. The scope-changed CVSS 3.1 score of 7.1 reflects that injected script runs in the WordPress site's origin, enabling session/cookie theft or actions against other users. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

WordPress XSS Mc Woocommerce Wishlist
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Broken authentication in VillaTheme's ALD - Dropshipping and Fulfillment for AliExpress and WooCommerce (all versions up to and including 2.2.0) permits remote unauthenticated attackers to bypass authentication controls under high-complexity conditions, yielding limited read and write access to protected plugin functionality. Assigned CVSS 3.1 score of 4.8 with AV:N/AC:H/PR:N, the high attack complexity signals that exploitation requires specific preconditions rather than a trivial request. No public exploit code or active exploitation has been identified at time of analysis, and CISA KEV listing is absent.

WordPress Information Disclosure Ald Dropshipping And Fulfillment For Aliexpress And Woocommerce
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Path traversal in the Tax Exempt for WooCommerce plugin (versions <= 1.9.3) by Addify enables authenticated customer-level users to read arbitrary files from the server's filesystem. The vulnerability carries a CVSS 6.5 Medium score with high confidentiality impact, as a low-privileged account (a standard customer/shopper) can traverse directory boundaries to access sensitive files such as wp-config.php containing database credentials. No public exploit code or active CISA KEV listing has been identified at time of analysis.

WordPress Path Traversal Tax Exempt For Woocommerce
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the NOWPayments for WooCommerce WordPress plugin (versions <= 1.4.0) allows unauthenticated remote attackers to perform actions or modify state that should be restricted, without any authentication. The flaw stems from a missing authorization check (CWE-862) on a network-reachable endpoint, and per its CVSS 3.1 vector it affects integrity only (I:H) with no confidentiality or availability impact. No public exploit has been identified at time of analysis, though the vulnerability was cataloged by Patchstack, a specialist in WordPress plugin security research.

Authentication Bypass WordPress Nowpayments For Woocommerce
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored cross-site scripting in the DesignThemes 'Kids Life | Children School' WordPress theme (versions 5.2 and earlier) allows unauthenticated remote attackers to inject arbitrary web script that executes in a victim's browser when they interact with a crafted link or input. The CVSS vector (PR:N, UI:R, Scope Changed) indicates no authentication is needed but the victim must be lured into interaction, and the injected script can cross into other security contexts. No public exploit code has been identified at time of analysis, and it is not listed in CISA KEV.

WordPress XSS Kids Life Children School Wordpress
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Kids Zone - Children WordPress Theme (versions 5.4 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser session when the victim opens a crafted link or page. The CVSS 3.1 base score is 7.1, elevated by a scope change (S:C) reflecting that injected script escapes the vulnerable theme context into the visitor's authenticated browser session. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; no EPSS value was supplied with the input.

WordPress XSS Kids Zone Children Wordpress Theme
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/unauthenticated Cross-Site Scripting in the Fitness Zone WordPress theme (versions 5.7 and earlier) by designthemes allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or request. The scope-change (S:C) rating indicates the injected script can affect resources beyond the vulnerable component, such as hijacking authenticated admin sessions. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw was reported by Patchstack.

WordPress XSS Fitness Zone Wordpress Theme
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/unauthenticated Cross-Site Scripting in the designthemes SpaLab | Beauty Salon WordPress theme (all versions up to and including 6.7) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted request or link. The CVSS 3.1 score of 7.1 reflects a scope-changing (S:C) client-side impact requiring no authentication (PR:N) but user interaction (UI:R). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not supplied in the input.

WordPress XSS Spalab Beauty Salon Wordpress Theme
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored Cross-Site Scripting in the Artale Wedding Photography WordPress theme (versions 2.2.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser after they follow a crafted link or load a poisoned page. Reported by Patchstack and rated CVSS 7.1 with a scope change, it primarily threatens site visitors and administrators through session/context theft rather than direct server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress XSS Artale Wedding Photography Wordpress
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary content deletion in the Merkulove 'OpenAI Chatbot for WordPress - Helper' plugin (versions 1.1.4 and earlier) lets remote unauthenticated attackers destroy site content by invoking a plugin action that lacks an authorization check. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, A:H) confirms network-reachable, no-privilege, no-interaction exploitation with high availability impact and no confidentiality or integrity compromise. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass WordPress Openai Chatbot For Wordpress Helper
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file read in the Ninja Forms - File Uploads WordPress add-on (versions ≤ 3.3.29) lets unauthenticated remote attackers exfiltrate any file readable by the web server. A client-supplied saveProgress flag causes the process() method to return early, so a raw attacker-controlled 'files' array reaches attach_files() and get_files_for_attachment() without upload validation, path normalization, or database record creation - an attacker-chosen file_path is then passed to wp_mail() as an email attachment guarded only by a file_exists() check. No public exploit has been identified at time of analysis; there is no CISA KEV listing and no EPSS score was supplied.

WordPress Path Traversal Ninja Forms File Uploads
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in the WP Review Slider Pro WordPress plugin (versions up to and including 12.7.2) lets unauthenticated attackers extract arbitrary database contents through the 'notinstring' parameter of the wprp_load_more_revs AJAX action. Because the action is exposed via wp_ajax_nopriv and its required nonce is leaked to the frontend through wp_localize_script on any page rendering the plugin shortcode, anyone who can reach a public page hosting the plugin can exploit it. Reported by Wordfence with a CVSS of 7.5; no public exploit identified at time of analysis.

WordPress SQLi Wpreviewslider Com
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Arbitrary file copy in the Database for Contact Form 7, WPforms, Elementor Forms WordPress plugin (versions ≤ 1.5.1) exposes any file readable by the PHP process to unauthenticated network attackers. The `create_entry_el()` function accepts attacker-controlled POST data as a file path and passes it directly to PHP's `copy()`, which transparently accepts both local filesystem paths and remote URLs - enabling server file exfiltration or remote resource staging. Exploitation requires Elementor Pro to be installed and active alongside the vulnerable plugin; no public exploit or CISA KEV listing has been identified at time of analysis, though the unauthenticated network vector and high confidentiality impact make this a credible priority for mixed Elementor Pro deployments.

WordPress Path Traversal PHP +1
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

Arbitrary file disclosure in the Perfmatters WordPress performance plugin (versions ≤ 2.6.4) lets unauthenticated attackers traverse the filesystem via the 's' parameter and read sensitive server files such as wp-config.php. The flaw only surfaces in a specific non-default configuration (Local Google Fonts enabled with pretty permalinks and RSS feed links active), and there is no public exploit identified at time of analysis. Reported by Wordfence with a CVSS of 7.5 (high).

WordPress Path Traversal Google +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin (all versions through 4.5.8) enables authenticated attackers with the view_contacts capability to append arbitrary SQL to existing database queries via the unsanitized 'select' parameter, resulting in full database read access. The flaw spans multiple code paths - db/query/query.php (lines 228 and 427), db/db.php (line 1366), and api/v4/base-object-api.php (line 505) - confirmed in both the 4.5.7 and 4.5.8 tagged releases by Wordfence. No public exploit code or CISA KEV listing has been identified at time of analysis, though the vulnerable code is publicly browsable in the WordPress plugin repository, materially lowering the barrier for exploit development.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Product Video Gallery for WooCommerce WordPress plugin (versions ≤ 1.5.1.8) allows authenticated shop managers to persist malicious JavaScript via the custom_thumbnail parameter, which then executes in the browsers of any visitor accessing an affected product page. The CVSS scope-change flag (S:C) confirms the injected payload crosses security boundaries from the attacker's session into victims' browser contexts. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog, but the PR:H requirement is the primary limiting factor for real-world risk - any compromise of a shop manager account would make this trivially exploitable.

WordPress XSS Product Video Gallery For Woocommerce
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Feedzy RSS Aggregator WordPress plugin (all versions through 5.2.1) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the unsanitized 'aspectRatio' attribute of the RSS feed block. When any user - including site administrators - visits a page containing the injected content, the payload executes in their browser, enabling session hijacking, credential theft, or privilege escalation to full site control. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis, but the low privilege bar (contributor) and scope change to administrator sessions make this a meaningful risk for multi-author WordPress deployments.

WordPress XSS Rss Aggregator By Feedzy Feed To Post Autoblogging News Youtube Video Feeds Aggregator
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.11) enables unauthenticated remote attackers to trigger arbitrary HTML-injected emails to any registered user via the site's own mail infrastructure. Because the email is dispatched through the site's authenticated SMTP path, it inherits the domain's SPF and DKIM reputation, substantially increasing phishing credibility. Critically, attackers can embed a genuine, site-generated WordPress password-reset URL for the target account inside an attacker-controlled HTML body, creating a highly convincing credential-harvesting lure. No public exploit or CISA KEV listing is confirmed at time of analysis.

Authentication Bypass WordPress Kirki Freeform Page Builder Website Builder Customizer
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Insecure Direct Object Reference in the My Calendar - Accessible Event Manager WordPress plugin (all versions through 3.7.14) exposes non-public, draft, trashed, and personal calendar events to unauthenticated remote attackers via the 'vcal' iCalendar export endpoint. By enumerating integer occurrence IDs in the 'vcal' parameter, an attacker can retrieve full iCalendar exports containing event titles, descriptions, dates, locations, organizer and host details, permalinks, and related calendar metadata that site owners explicitly withheld from public view. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the low attack complexity and zero authentication requirement make opportunistic enumeration trivially feasible.

Authentication Bypass WordPress My Calendar Accessible Event Manager
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the JoomSport WordPress plugin (all versions through 5.7.8) permits any subscriber-level authenticated user to create arbitrary season groups or tamper with group names, participant records, and round-type options - sports league data that site administrators should exclusively control. The flaw, identified by Wordfence and rooted in CWE-862 (Missing Authorization), is exploitable by any registered WordPress user who can load a page rendering a JoomSport shortcode to harvest a required nonce. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; the CVSS 4.3 Medium score accurately reflects a bounded, integrity-only impact with no path to code execution or privilege escalation.

Authentication Bypass WordPress Joomsport For Sports
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated sensitive information exposure in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions through 6.0.11) permits any remote attacker to retrieve the full builder metadata and rendered HTML of any kirki_symbol post - including unpublished drafts - by issuing a crafted AJAX request with a sequential WordPress post ID. The root cause is a missing authorization check (CWE-862) in the get_single_symbol AJAX handler registered in includes/Ajax.php, confirmed by Wordfence. No active exploitation is confirmed in CISA KEV, and no EPSS data was provided, but the trivially automatable nature of post ID enumeration against an unauthenticated network endpoint elevates practical risk above the raw CVSS 5.3 score suggests.

Authentication Bypass WordPress Information Disclosure +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Unauthorized wp_postmeta enumeration in JetFormBuilder (WordPress plugin, all versions through 3.6.3) allows unauthenticated remote attackers to extract arbitrary post meta values - including WooCommerce billing PII, payment tokens, and third-party plugin credentials - by exploiting a missing authorization check in the plugin's REST API generator endpoint. The flaw exists in the get_from_db generator function, which returns database values without verifying whether the requesting user is permitted to access them. No public exploit has been identified at time of analysis, but the attack is trivially executable against any site where a published JetFormBuilder form with a get_from_db field exists, as all required parameters (form ID, field name, generator ID) are discoverable by browsing the site's public forms.

Authentication Bypass WordPress Jetformbuilder Dynamic Blocks Form Builder
NVD
EPSS 3% CVSS 7.2
HIGH This Week

Authenticated OS command injection in the WP Database Backup plugin for WordPress (all versions up to and including 7.11) lets administrator-level users execute arbitrary operating system commands on the underlying server, escalating a WordPress admin foothold into full host RCE. The flaw stems from the wp_db_exclude_table POST parameter being concatenated unescaped into the mysqldump shell command; the injection is stored, so payloads persist in the options table and fire whenever a backup runs. Reported by Wordfence with no public exploit identified at time of analysis and no CISA KEV listing.

Command Injection WordPress RCE +2
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Insecure Direct Object Reference in LatePoint Calendar Booking Plugin for WordPress (all versions ≤ 5.6.2) enables unauthenticated attackers to create approved bookings against services explicitly restricted to administrators and agents. The bypass operates through two publicly accessible booking step endpoints that accept a user-controlled service identifier without validating the requester's authorization to book that service. No public exploit code or CISA KEV listing has been identified, but the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms trivially exploitable, zero-barrier network access against default plugin configurations that utilize service-level access restrictions.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Unauthenticated appointment cancellation and rescheduling in the Wappointment WordPress plugin (all versions ≤ 2.7.6) is possible because the sole authorization token - the `edit_key` - is a predictable, unsalted MD5 hash of three fully derivable inputs: a sequential integer `client_id`, a publicly observable appointment timestamp `start_at`, and an enumerable integer `staff_id`. The unauthenticated REST endpoints for `tryCancel()` perform no ownership or identity verification beyond matching this reconstructible key, meaning any network attacker who books one appointment can calibrate the sequential ID space and compute valid keys for other users' appointments. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the attack requires only standard HTTP tooling and basic scripting against any site with cancellation or rescheduling features enabled.

Authentication Bypass WordPress Appointment Bookings For Zoom Googlemeet And More Wappointment
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Arbitrary file deletion in the Image Optimizer plugin for WordPress (versions up to and including 1.7.4) lets an authenticated attacker with Author-level access or higher delete any file the web server can write to, potentially causing denial of service, data loss, or removal of security-relevant files such as wp-config.php. The flaw stems from the plugin trusting attacker-controllable backup paths stored in post meta. This was reported by Wordfence; no public exploit identified at time of analysis, and it is not listed in CISA KEV.

WordPress Denial Of Service
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated curriculum exposure in the Academy LMS WordPress plugin (versions ≤ 3.8.1) allows any internet user to retrieve detailed topic and lesson structures from courses explicitly protected by private, draft, scheduled, or password-protected post statuses. The root cause is the plugin's '/topics' REST API endpoint registering with '__return_true' as its permission callback, entirely bypassing WordPress's built-in post visibility and enrollment enforcement. No exploit code has been publicly identified and the vulnerability is not listed in CISA KEV, but the zero-complexity network vector makes automated course ID enumeration trivially scriptable with standard HTTP tools.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated code injection in the Request a Quote plugin for WordPress (versions up to and including 2.5.5) lets remote attackers invoke arbitrary zero-argument PHP functions on the server through the emd_delete_file AJAX action. Because the handler is registered for wp_ajax_nopriv and derives a callable function name from the attacker-controlled $_POST['path'] parameter, an attacker can trigger functions such as phpinfo() to expose server configuration and credentials, or destructive built-in functions. No public exploit identified at time of analysis, but the nonce that is the sole gatekeeper is printed directly into the public quote-form page, effectively neutralizing it.

WordPress RCE PHP
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in GiveWP (WordPress Donation Plugin and Fundraising Platform) versions up to and including 4.16.1 allows authenticated attackers holding the Give Worker role or above to inject persistent malicious scripts via the Sequoia form template's introduction image parameter. The CVSS Scope:Changed rating reflects that injected payloads execute in the security context of any victim browser that loads the affected donation page, enabling session hijacking or credential theft from site visitors and administrators alike. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL injection in the Houzez Property Feed WordPress plugin (versions up to and including 2.5.46) permits authenticated administrators to exfiltrate arbitrary data from the underlying WordPress database by manipulating the `orderby` GET parameter on admin log pages. The root cause is a `$wpdb->prepare()` misuse pattern: user-supplied `$_GET['orderby']` and `$_GET['order']` values are filtered only with `sanitize_text_field()` - which does not neutralize SQL metacharacters - then concatenated directly into the SQL format string before `prepare()` is invoked, meaning prepare() only parameterizes the trailing LIMIT/OFFSET clause and cannot retroactively secure the already-tainted ORDER BY clause. No public exploit has been identified at time of analysis, and the high privilege requirement (WordPress Administrator) significantly constrains the realistic attacker pool.

WordPress SQLi
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Payment enforcement bypass in the User Registration & Membership WordPress plugin before 5.2.0 allows any visitor to self-register a free account and then activate a paid membership subscription without completing payment, gaining unauthorized access to gated premium content. The flaw is a business logic failure: the plugin activates the paid plan upon subscription initiation rather than upon confirmed payment receipt. No public exploit or CISA KEV listing exists at time of analysis, but exploitation is trivially low-effort given the plugin's open registration model and the CVSS vector of AV:N/AC:L/PR:N/UI:N.

WordPress Information Disclosure
NVD WPScan VulDB
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Broken access control in the Adminify WordPress plugin before 4.2.10 allows authenticated Contributor-level users to enumerate sensitive site data through an administration search feature that omits per-user read-capability checks. Affected data includes other authors' unpublished post titles, pending comment content, installed plugin inventory, and registered user account names - all information WordPress's native capability model would otherwise restrict. No public exploit has been identified at time of analysis, and a vendor-released patch is available at version 4.2.10.

WordPress Information Disclosure
NVD WPScan VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Private content disclosure in the Envo's Templates & Widgets for Elementor and WooCommerce WordPress plugin (versions up to and including 1.4.26) allows authenticated attackers with Author-level access to expose private or draft Elementor-rendered pages and templates to anonymous visitors. The flaw is rooted in the Tabs and Off Canvas widgets passing a user-supplied post ID directly to Elementor's get_builder_content_for_display() without any post-status or capability check, meaning the rendered output of restricted content is served publicly once an Author configures the widget. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, making this a lower-urgency but real information-disclosure risk for WordPress sites with multiple or untrusted Author-level users.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Email Subscribers & Newsletters WordPress plugin (all versions through 5.9.27) allows contributor-level authenticated users to hijack the site's email infrastructure - overwriting sender identity, creating mailing lists, injecting arbitrary contacts, and dispatching mass email to arbitrary external recipients. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity, network-accessible exploitation requiring only a contributor account, which is commonly available on multi-author WordPress sites. No public exploit code has been identified at time of analysis, but the abuse potential - mass phishing campaigns sent through a trusted domain's authenticated mail relay - materially exceeds what the 4.3 CVSS score implies.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Broken access control in Fluent Forms WordPress plugin before 6.2.5 allows a restricted Manager role to permanently delete form submission entries belonging to forms outside their authorized scope. The flaw stems from missing authorization checks on the deletion endpoint, which fails to verify that the target submission belongs to a form the Manager is permitted to administer. This affects only installations where an administrator has explicitly created a restricted Manager account tied to specific forms - no public exploit or active exploitation (CISA KEV) has been identified at time of analysis.

WordPress Information Disclosure
NVD WPScan VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Insert Pages WordPress plugin (versions through 3.11.4) allows authenticated attackers with author-level access to persist arbitrary JavaScript via post custom field key names. The vulnerability arises because the `the_meta()` function applies `wp_kses_post()` to custom field values but interpolates the custom field KEY directly into rendered HTML without any escaping, exploitable only when the `[insert page='ID' display='all']` shortcode is used. Any visitor loading a page containing the shortcode will execute the attacker's payload in their browser, enabling session hijacking or credential theft; no public exploit identified at time of analysis.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Stored XSS in the yootheme WordPress theme before version 5.0.35 enables users holding the Author role to inject persistent malicious scripts into posts by exploiting a sanitization gap between WordPress's wp_kses_post() filter and the theme's bundled front-end framework, which interprets certain permitted HTML attributes as executable markup. Any visitor - including site administrators - who views an affected post triggers script execution in their browser, creating a realistic privilege escalation path on multi-author WordPress sites. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; vendor patch version 5.0.35 is confirmed via WPScan advisory.

WordPress XSS
NVD WPScan VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the '_name[]' array parameter, which then runs in the browser of any user who views the injected page. The flaw is notable because the plugin's own wp_kses() allow-list (NEXForms_allowed_tags()) deliberately whitelists <script>, <iframe src/srcdoc>, and JS event handlers, so the normal output-filtering layer provides no protection. No public exploit identified at time of analysis; the issue was reported by Wordfence and carries a CVSS 7.2 with a changed scope.

WordPress XSS Nex Forms Ultimate Forms Plugin For Wordpress
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation to Administrator in the LatePoint booking plugin for WordPress (versions up to and including 5.6.3) lets an authenticated Agent-level user hijack any WordPress account by abusing an Insecure Direct Object Reference in OsOrdersController::create_or_update(). By supplying an arbitrary order[customer_id], an attacker overwrites the email of any LatePoint customer - including one tied to a WordPress Administrator - and then logs in as that user because OsAuthHelper::authorize_customer() never checks the linked account's role. Reported by Wordfence and rated CVSS 8.8; no public exploit identified at time of analysis and it is not on CISA KEV, though the root-cause code paths are pinpointed in public plugin source.

Privilege Escalation WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
Prev Page 4 of 193 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy