Skip to main content

WordPress

17357 CVEs vendor

Monthly

CVE-2026-10077 MEDIUM PATCH This Month

Stored XSS in the yootheme WordPress theme before version 5.0.35 enables users holding the Author role to inject persistent malicious scripts into posts by exploiting a sanitization gap between WordPress's wp_kses_post() filter and the theme's bundled front-end framework, which interprets certain permitted HTML attributes as executable markup. Any visitor - including site administrators - who views an affected post triggers script execution in their browser, creating a realistic privilege escalation path on multi-author WordPress sites. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; vendor patch version 5.0.35 is confirmed via WPScan advisory.

WordPress XSS
NVD WPScan VulDB
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-12142 HIGH This Week

Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the '_name[]' array parameter, which then runs in the browser of any user who views the injected page. The flaw is notable because the plugin's own wp_kses() allow-list (NEXForms_allowed_tags()) deliberately whitelists <script>, <iframe src/srcdoc>, and JS event handlers, so the normal output-filtering layer provides no protection. No public exploit identified at time of analysis; the issue was reported by Wordfence and carries a CVSS 7.2 with a changed scope.

WordPress XSS Nex Forms Ultimate Forms Plugin For Wordpress
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-13228 HIGH This Week

Privilege escalation to Administrator in the LatePoint booking plugin for WordPress (versions up to and including 5.6.3) lets an authenticated Agent-level user hijack any WordPress account by abusing an Insecure Direct Object Reference in OsOrdersController::create_or_update(). By supplying an arbitrary order[customer_id], an attacker overwrites the email of any LatePoint customer - including one tied to a WordPress Administrator - and then logs in as that user because OsAuthHelper::authorize_customer() never checks the linked account's role. Reported by Wordfence and rated CVSS 8.8; no public exploit identified at time of analysis and it is not on CISA KEV, though the root-cause code paths are pinpointed in public plugin source.

Privilege Escalation WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-10095 MEDIUM This Month

Stored Cross-Site Scripting in WP Photo Album Plus (WordPress plugin, all versions through 9.1.13.005) allows contributor-level authenticated attackers to inject persistent JavaScript payloads via the unsanitized 'subtext' parameter of the [photo] shortcode. The CVSS scope change (S:C) is the critical amplifier: a low-privileged contributor can embed malicious shortcodes in posts submitted for editorial review, causing the stored payload to execute in administrator browser sessions when the content is previewed - enabling session hijacking and potential full site takeover. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and common WordPress contributor registration practices make this a realistic threat on affected installations.

WordPress XSS Wp Photo Album Plus
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12754 MEDIUM This Month

Reflected Cross-Site Scripting in VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.12) allows unauthenticated remote attackers to inject arbitrary JavaScript into victims' browsers by tricking them into clicking a crafted URL. The vulnerable `layoutstyle` parameter is insufficiently sanitized before being rendered in the roomslist view template, enabling session hijacking, credential theft, or malicious redirects against authenticated site users such as hotel administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, and a patched version (1.8.13) is available per plugin Trac references.

WordPress XSS Vikbooking Hotel Booking Engine Pms
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-13454 MEDIUM This Month

SQL Injection in the MotoPress Appointment Booking WordPress plugin (versions ≤ 2.4.5) allows authenticated attackers holding the mpa_appointment_employee custom role to append arbitrary SQL to booking search queries via the 's' parameter, enabling full read access to the underlying WordPress database. The vulnerability originates in ManageBookingsPage.php at two separate query-construction points (lines 247 and 310), where user-supplied input is neither escaped nor parameterized. No public exploit code or active exploitation has been identified at time of analysis, and the EPSS signal was not supplied; however, the Wordfence intelligence report and a confirmed upstream fix commit indicate the issue is credibly documented.

WordPress SQLi Motopress Appointment Booking
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-12158 HIGH This Week

Privilege escalation via Cross-Site Request Forgery in the RegistrationMagic WordPress plugin (all versions through 6.0.9.1) lets a remote attacker promote an arbitrary form submitter to administrator by forging a request to the process_request function, which lacks proper nonce validation. The attack plants a malicious Chronos automation task that later runs through WordPress cron, and it succeeds when a logged-in administrator is tricked into clicking an attacker-supplied link. No public exploit identified at time of analysis, and it is not listed in CISA KEV; risk is driven by the plugin's install base and the low technical bar of CSRF.

WordPress CSRF Registrationmagic Custom Registration Forms User Registration Payment And User Login
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13733 MEDIUM This Month

Stored Cross-Site Scripting in the WordPress Download Manager plugin (all versions through 3.3.60) allows authenticated contributors to persistently inject arbitrary JavaScript via the `no_data_msg` shortcode attribute, executing in any subsequent visitor's browser context. The vulnerability exploits a bypass in WordPress's `wp_kses_post` sanitization: the filter strips disallowed HTML tokens at save time but does not neutralize C-style escape sequences embedded in shortcode attribute values, which are silently reconstructed into raw `<script>` tags at render time. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the deliberate evasion technique elevates risk on multi-contributor WordPress deployments.

WordPress XSS Download Manager
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-11387 CRITICAL Act Now

Account-takeover privilege escalation in the SMS Alert - SMS & OTP for WooCommerce WordPress plugin (versions up to and including 3.9.5) lets unauthenticated remote attackers change any user's email address and trigger a password reset, seizing administrator accounts. The flaw stems from the OTP-based password-reset flow failing to verify the requester's identity before updating account details. No public exploit has been identified at time of analysis, though the issue was disclosed by Wordfence and carries a 9.8 CVSS rating.

Authentication Bypass WordPress Privilege Escalation Sms Alert Sms Otp For Woocommerce Order Notifications Abandoned Cart Recovery
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-12408 MEDIUM This Month

Unauthorized private content disclosure in the Slim SEO WordPress plugin (all versions through 4.9.8) allows authenticated Contributors to read protected content they do not own via the `/wp-json/slim-seo/meta-tags/ai` REST API endpoint. The endpoint's broken object-level authorization - checking only the generic `edit_posts` capability rather than per-post read access - lets any Contributor supply an arbitrary post ID and receive an AI-generated summary of that post's raw content, including private, draft, pending, future, and password-protected posts authored by other users. No public exploit or CISA KEV listing is identified at time of analysis; real-world risk is constrained by the requirement for a pre-existing Contributor-level account.

WordPress Information Disclosure Slim Seo A Fast Automated Seo Plugin For Wordpress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-10096 MEDIUM This Month

Insecure Direct Object Reference in the Qi Blocks WordPress plugin (all versions ≤ 1.4.9) allows any authenticated user with Author-level access to overwrite the stored global styles of arbitrary posts, templates, or widgets they do not own by manipulating the unvalidated 'page_id' parameter. Critically, the reserved 'template' and 'widget' page_id values expose site-wide surfaces, enabling an Author to deface, hide content on, or visually degrade any page across the entire WordPress installation. The permission_callback validates only generic edit_posts and publish_posts capabilities rather than post ownership, meaning the built-in Author role is sufficient for exploitation. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.

Authentication Bypass WordPress Qi Blocks
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12435 MEDIUM This Month

Authorization bypass in the Motors - Car Dealership & Classified Listings Plugin for WordPress allows authenticated subscriber-level users to arbitrarily mark any other user's vehicle listing as sold by replaying a harvested nonce against a victim's post ID. All plugin versions up to and including 1.4.111 are affected. An attacker exploiting this flaw can silently deface competitor or victim listings with a site-wide 'Sold' badge while also stripping the `special_car` featured post meta, causing business harm on dealership or classifieds sites. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Motors Car Dealership Classified Listings Plugin
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12732 MEDIUM This Month

Stored Cross-Site Scripting in the LearnPress WordPress LMS plugin (versions up to and including 4.4.0) allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the unescaped 'class_wrapper_form' shortcode attribute. The payload persists in the database and executes in the browser of any visitor - including administrators - who loads the affected page, enabling session hijacking, credential harvesting, or privilege escalation through forged admin actions. No CISA KEV listing or public exploit code has been identified at time of analysis, but the Wordfence advisory includes precise code-level references that substantially lower the bar for independent reproduction.

WordPress XSS Learnpress Wordpress Lms Plugin For Create And Sell Online Courses
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12224 HIGH This Week

Privilege escalation in the Dokan Pro WooCommerce multivendor plugin for WordPress (all versions through 5.0.4) allows an authenticated vendor-level attacker to grant themselves or a controlled vendor_staff account the WordPress administrator capability, resulting in full site takeover. The flaw stems from the update_capabilities() REST handler accepting arbitrary capability strings with no allowlist, only checking for the dokandar capability. No public exploit has been identified at time of analysis, and no EPSS or KEV signals were supplied; however, the issue is reported by Wordfence and exploitation is straightforward on sites where the Vendor Staff module is enabled and vendor self-registration is permitted.

Privilege Escalation WordPress Dokan Pro
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-11887 MEDIUM POC PATCH This Month

Missing authorization on an AJAX endpoint in the Salon Booking System WordPress plugin (all versions before 10.30.20) allows any authenticated subscriber-level user to modify plugin settings and disable the manual approval workflow for new bookings. A publicly available proof-of-concept exists per WPScan's disclosure, making exploitation straightforward for any registered user on affected sites. No public exploitation (CISA KEV) has been confirmed, and SSVC assessment classifies technical impact as partial with exploitation not yet automated.

WordPress Authentication Bypass Salon Booking System
NVD WPScan VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-11883 HIGH POC PATCH This Week

Two-factor authentication bypass in the WebAuthn Provider for Two Factor WordPress plugin (all versions before 2.5.6) lets an attacker who already possesses a valid user's password defeat the WebAuthn second factor by submitting a malformed authentication response that the plugin fails to validate. This neutralizes the plugin's core protection, effectively reducing account security back to single-factor (password-only). Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as being used in active attacks and the issue is not listed in CISA KEV.

WordPress Authentication Bypass Webauthn Provider For Two Factor
NVD WPScan VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-11880 LOW POC PATCH Monitor

Subscription cancellation authorization bypass in the Fluent Forms WordPress plugin (all versions before 6.2.1) permits any authenticated low-privilege user to cancel subscriptions belonging to other site members by submitting a crafted request referencing a victim's subscription identifier. The plugin fails to verify that the requesting user owns the referenced subscription before processing the cancellation, a classic Insecure Direct Object Reference (IDOR) pattern. A public proof-of-concept is available via WPScan; no confirmed active exploitation campaign (CISA KEV) has been identified at time of analysis, and the CVSS base score of 3.1 reflects the limited, integrity-only impact.

WordPress Information Disclosure Fluent Forms
NVD WPScan VulDB
CVSS 3.1
3.1
EPSS
0.1%
CVE-2026-11794 HIGH POC PATCH This Week

Privilege escalation in the Advanced Form Integration - Connect Forms to 200+ Apps WordPress plugin before 2.1.1 allows unauthenticated visitors to provision a full administrator account through a public form. Because the plugin fails to restrict which WordPress role it assigns during user creation, any site that maps the user-role field to a public form input via an active integration exposes site takeover to anonymous submitters. Publicly available exploit code exists (reported by WPScan), though this is not listed in CISA KEV and requires a specific non-default integration configuration, so real-world exposure is narrower than the 8.1 CVSS suggests.

WordPress Information Disclosure Advanced Form Integration Connect Forms To 200 Apps
NVD WPScan VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-11570 MEDIUM POC PATCH This Month

Stored Cross-Site Scripting in the User Submitted Posts WordPress plugin before version 20260608 enables unauthenticated attackers to inject persistent malicious scripts into admin-configured display templates. The vulnerability is only reachable when a site administrator has enabled a non-default display option in the plugin settings, limiting its real-world exposure. A publicly available proof-of-concept exploit exists per WPScan, though no active exploitation has been confirmed by CISA KEV at time of analysis.

WordPress XSS User Submitted Posts
NVD WPScan VulDB
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-11568 HIGH POC PATCH This Week

Unauthenticated information disclosure in the Product Configurator for WooCommerce WordPress plugin (versions before 1.7.3) exposes sensitive product data through a public AJAX action that skips authorization and post-status checks. By supplying only a product ID, remote unauthenticated users can read titles, prices, weights, stock status, and configurator option pricing/SKUs of private and draft products, bypassing WordPress post-visibility controls. Publicly available exploit code exists (reported by WPScan), though there is no indication of active exploitation.

WordPress Authentication Bypass Product Configurator For Woocommerce
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-11562 MEDIUM POC PATCH This Month

Missing capability check in WS Form LITE WordPress plugin before 1.11.8 allows any authenticated subscriber-level WordPress user to modify the plugin's settings, an action that should be restricted to administrators. The CVSS vector (PR:L) confirms low-privilege authentication is sufficient, and a publicly available proof-of-concept has been documented by WPScan. No active exploitation has been confirmed by CISA KEV, but the low barrier to exploitation and available POC make this a credible risk on multi-user WordPress installations where untrusted subscribers exist.

WordPress Information Disclosure Ws Form Lite
NVD WPScan VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-10750 HIGH POC PATCH This Week

Broken access control in the Royal MCP WordPress plugin before 1.4.26 lets any authenticated low-privileged user (e.g. Subscriber) invoke privileged MCP tools that skip capability checks after token authentication, exposing private content, full user/role enumeration, and create/modify/delete operations on other users' content. Reported by WPScan with a publicly available exploit and a vendor patch in 1.4.26; the CVSS 8.1 vector (PR:L) confirms authenticated but not administrative access is required. There is no public exploit identified as actively exploited - status is POC only, not CISA KEV.

WordPress Information Disclosure Royal Mcp
NVD WPScan VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-1239 HIGH This Week

Broken access control in the Ninja Forms WordPress plugin (all versions through 3.14.1) lets unauthenticated remote attackers read stored form submissions via the 'ninja-forms-views/token/refresh' REST callback, which lacks an authorization check. Because Ninja Forms submissions frequently capture PII, contact details, and other sensitive user-entered data, this exposes potentially confidential information to anyone who can reach the site. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-auth nature makes it straightforward to abuse.

Authentication Bypass WordPress Ninja Forms The Contact Form Builder That Grows With You
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-11823 HIGH This Week

SQL injection in the BookingPress Appointment Booking Pro WordPress plugin (versions up to and including 5.7.1) allows unauthenticated attackers to inject SQL through the 'store_service_date' POST parameter of the bpa_assign_staffmember_to_slots() function, enabling extraction of sensitive database contents such as user credentials and PII. The flaw stems from stripslashes_deep() being applied to user input before it is concatenated directly into a LIKE clause without $wpdb->prepare(). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; no EPSS score was provided in the input.

WordPress SQLi Bookingpress Appointment Booking Pro
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-11380 MEDIUM This Month

Stored cross-site scripting in JetWidgets For Elementor (versions up to and including 1.0.21) allows authenticated WordPress users holding author-level access or higher to plant persistent JavaScript payloads by supplying unsanitized input to the Animated Box widget's animation_effect parameter, which is written directly into an HTML class attribute without output escaping or server-side validation. Any site visitor who loads an injected page triggers the payload, enabling session hijacking, credential theft, or administrative account takeover through privilege escalation within the victim's browser context. No public exploit has been identified at time of analysis and the CVE does not appear in CISA KEV; however, a fix has been committed to the WordPress plugin repository.

WordPress XSS Jetwidgets For Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-6070 CRITICAL Act Now

Arbitrary file deletion in the WP-BusinessDirectory (Business Directory) plugin for WordPress (versions ≤ 4.0.1) lets unauthenticated remote attackers delete any file the web server can access, including wp-config.php. The flaw stems from the frontend-accessible task=upload.remove endpoint accepting an unsanitized _filename parameter that permits ../ path traversal. No public exploit is identified at time of analysis, but the CVSS 9.1 rating and trivial exploitation (network, no auth, no user interaction) make it high priority; deleting wp-config.php can force WordPress into its installer, enabling site takeover.

WordPress Path Traversal PHP Wp Businessdirectory Business Directory Plugin For Wordpress
NVD VulDB
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-12127 MEDIUM This Month

CRLF injection in WPForms plugin for WordPress (all versions up to and including 1.10.2) enables unauthenticated attackers to silently blind-copy all site notification emails to an attacker-controlled address. The flaw originates from `get_reply_to_address()` applying the wrong smart-tag expansion context, allowing CR/LF characters preserved by `wpforms_sanitize_textarea_field()` to pass unstripped into raw mail header concatenation. Exploitation requires a specific non-default site configuration but demands no authentication or elevated interaction beyond a standard form submission; no public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress Authentication Bypass Wpforms Ai Form Builder For Wordpress Contact Forms Payment Forms Survey Form Quiz More
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-11988 MEDIUM This Month

Course enrollment data exposure in LearnPress WordPress LMS plugin (all versions through 4.3.9.1) enables authenticated subscribers to read the course progress and completion records of any instructor or administrator by supplying an arbitrary value to the `userId` REST API parameter. The lazy load controller accepts the caller-supplied key without verifying ownership, bypassing authorization for LP_TEACHER_ROLE and administrator accounts while a partial guard correctly blocks subscriber-to-subscriber cross-access. No public exploit code or active exploitation has been identified at time of analysis, but exploitation requires only a subscriber-level account, making the real-world barrier low on sites with open user registration.

Authentication Bypass WordPress Learnpress Wordpress Lms Plugin For Create And Sell Online Courses
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-11981 MEDIUM This Month

Cross-Site Request Forgery in GiveWP - Donation Plugin and Fundraising Platform (versions up to and including 4.15.3) allows unauthenticated remote attackers to disable donation email notifications by tricking a logged-in administrator into clicking a crafted link. The root cause is absent nonce validation in the give_set_notification_status_handler() AJAX handler, permitting forged state-changing requests. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog; however, the integrity impact - silently disabling donation notifications - could cause operational blind spots for nonprofit or fundraising site operators.

WordPress CSRF Givewp Donation Plugin And Fundraising Platform
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-2387 MEDIUM This Month

Stored Cross-Site Scripting in the Event Organiser WordPress plugin (all versions through 3.12.9) allows an authenticated attacker with Contributor-level access or higher to inject arbitrary JavaScript via the unescaped 'no_events' parameter of the 'eo_events' shortcode. The payload persists server-side and executes in any visitor's browser when they load a page containing the injected shortcode with no matching events. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the low authentication bar (Contributor) makes this a meaningful risk on multi-author WordPress sites.

WordPress XSS Event Organiser
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12113 MEDIUM This Month

Sensitive PII exposure in the Appointment Booking Calendar WordPress plugin (versions up to and including 1.4.02) allows any authenticated user with contributor-level access to retrieve customer booking records - including names, email addresses, phone numbers, and appointment comments - via the unprotected `cpabc_appointments_filter_list` AJAX action. The root cause is CWE-862 (Missing Authorization): the endpoint performs no capability check before returning data, meaning the attacker's only prerequisite is a valid WordPress login at contributor tier or above. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but a source-level fix appears committed in the plugin's SVN repository (changeset 3581633).

Authentication Bypass WordPress Information Disclosure Appointment Booking Calendar
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-7517 HIGH This Week

Stored cross-site scripting in the Custom Payment Gateways for WooCommerce WordPress plugin (all versions through 2.1.0) lets unauthenticated guests plant persistent JavaScript by submitting a crafted checkout POST request via the 'alg_wc_cpg_input_fields' parameter. The injected script executes in the browser of any user - including store administrators - who later views the affected page, enabling session/account compromise in the WordPress admin context. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV, but the unauthenticated, no-configuration-required attack path makes it materially exploitable against default installs.

WordPress XSS Custom Payment Gateways For Woocommerce
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-12135 MEDIUM This Month

Stored Cross-Site Scripting in FV Flowplayer Video Player (all WordPress plugin versions up to and including 7.5.51.7212) allows authenticated contributors to permanently inject arbitrary JavaScript via the unsanitized `align` attribute of the `[video_player]` shortcode. The payload persists in the WordPress database and executes in the browser of every user who subsequently visits any page containing the injected shortcode, enabling session hijacking, credential harvesting, or further site compromise. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis, though the stored nature of this XSS amplifies real-world risk relative to reflected variants.

WordPress XSS Fv Flowplayer Video Player
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12090 MEDIUM This Month

SQL injection in the Taskbuilder Project Management plugin for WordPress (versions ≤5.0.8) enables any authenticated user-including those with only subscriber-level access-to exfiltrate sensitive data from the WordPress database. The vulnerability exists in the `wppm_proj_filter` parameter handled by `wppm_view_project_tasks.php`, which lacks both proper SQL escaping and prepared statement usage. Compounding the risk, the `wp_ajax_wppm_view_project_tasks` AJAX handler performs no nonce verification, meaning the vulnerable code path is reachable by any authenticated WordPress session without additional preconditions. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

WordPress SQLi Taskbuilder Project Management Task Management Tool With Kanban Board
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-12923 HIGH This Week

Arbitrary zero-argument PHP function invocation in the Youtube Showcase (Video Gallery - YouTube Gallery, Playlist & Video Grid) plugin for WordPress affects all versions up to and including 4.0.3, letting authenticated Subscriber-level users abuse the emd_delete_file() AJAX handler to call any callable PHP function name with no arguments. Because the handler validates only a nonce and omits a current_user_can() capability check, low-privileged accounts can trigger functions such as phpinfo(), get_defined_vars(), or error_get_last() to disclose sensitive server and application data. No public exploit identified at time of analysis and the issue is not in CISA KEV, so risk is currently theoretical but credible given the low privilege bar.

WordPress LFI Information Disclosure PHP Video Gallery Youtube Gallery Playlist Video Grid
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13015 MEDIUM This Month

Reflected Cross-Site Scripting in Wp Google Places Review Slider (WordPress plugin, versions ≤ 18.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized `place` GET parameter in `admin/partials/googlecrawl_dfs.php`. The raw user input is URL-decoded and passed through `stripslashes()` before being echoed directly into an HTML value attribute — bypassing WordPress's standard `esc_attr()` — but only when the supplied place value is not already present as a key in the `wprev_google_crawls` stored option. No public exploit identified at time of analysis; successful exploitation requires tricking an authenticated WordPress administrator into clicking a specially crafted link.

WordPress XSS PHP Google Wp Google Review Slider
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-12902 MEDIUM This Month

Authorization bypass in the Kadence Blocks WordPress plugin (all versions through 3.7.7) allows authenticated contributors to create arbitrary Media Library attachments by fetching remote images via internal WordPress functions, bypassing the upload_files capability boundary. The flaw resides in class-kadence-blocks-prebuilt-library.php at multiple call sites where wp_upload_bits() and wp_insert_attachment() are invoked without verifying the requesting user's authorization. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Kadence Blocks Page Builder Toolkit For Gutenberg Editor
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-12110 MEDIUM This Month

SQL Injection in the Taskbuilder Project Management & Task Management WordPress plugin (versions up to and including 5.0.8) allows any authenticated WordPress user with Subscriber-level access or higher to exfiltrate arbitrary data from the site's database. The root cause is dual: insufficient escaping of the 'task_search' parameter in the wppm_get_task_list AJAX handler combined with a complete absence of capability checks and nonce verification on that handler, meaning the attack surface is broader than typical subscriber-exploitable SQLi. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; however, the low privilege bar and straightforward injection vector make this a credible threat against any WordPress site running the affected plugin.

WordPress SQLi Taskbuilder Project Management Task Management Tool With Kanban Board
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13443 MEDIUM This Month

Stored Cross-Site Scripting in Tutor LMS (WordPress plugin by Themeum) versions through 3.9.13 allows authenticated attackers holding author-level or higher WordPress roles to inject persistent malicious scripts via the Lesson Attachment Title field. The injected payload is stored in the WordPress database and executes in the browser of any user who subsequently accesses a course page rendering the attachment - achieving a scope change from the plugin's context into the victim's browsing session. No public exploit code or CISA KEV listing has been identified at time of analysis, but the Wordfence disclosure includes direct source-code references to the vulnerable rendering path, lowering the barrier to exploitation.

WordPress XSS Tutor Lms Elearning And Online Course Solution
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-13468 HIGH This Week

{chart}/{type}/ REST route. The plugin route skips the capability checks that WordPress's core REST endpoint for this non-public custom post type enforces (which correctly returns HTTP 401), exposing otherwise-restricted data. Rated CVSS 7.5 (confidentiality-only); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress Visualizer Tables Charts Manager With Built In Ai Generator
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-9107 MEDIUM This Month

Stored Cross-Site Scripting in the Kali Forms WordPress plugin (versions up to and including 2.4.13) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'meta[kaliforms_field_components]' parameter. Any WordPress user who subsequently visits a page containing the injected form will execute the attacker's script in their browser, making session hijacking, credential theft, and admin account takeover realistic outcomes. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low privilege bar (contributor) makes this a realistic risk on multi-author WordPress sites.

WordPress XSS Kali Forms Contact Form Drag And Drop Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12904 MEDIUM This Month

Kadence Blocks WordPress plugin versions up to and including 3.7.7 allows authenticated Contributor-level users to read or delete optimizer analysis records belonging to posts they do not own, by exploiting a parameter mismatch in four REST API endpoints of the Optimize_Rest_Controller. The authorization check binds to a user-supplied post_id while the storage layer retrieves records by sha256 of a separately supplied, attacker-controlled post_path, with no enforcement that these two parameters refer to the same post. No public exploit code or CISA KEV listing exists at time of analysis; however, the low barrier to exploitation - any registered Contributor can leverage this - makes it relevant for multi-author WordPress sites. EPSS data was not provided in the input.

Authentication Bypass WordPress Kadence Blocks Page Builder Toolkit For Gutenberg Editor
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-13731 HIGH POC This Week

Stored cross-site scripting in the WPBot AI ChatBot for WordPress (all versions through 8.4.9) lets unauthenticated attackers persist arbitrary JavaScript through the 'conversation' parameter, which later executes when the injected page is viewed - most notably by an administrator opening the chat-session reports in wp-admin. Because the AJAX nonce that guards the save endpoint is publicly emitted on every frontend page via wp_localize_script, any anonymous visitor can obtain it, so there is effectively no barrier to injection. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; risk stems from ease of exploitation rather than confirmed in-the-wild abuse.

WordPress XSS Wpbot Ai Chatbot For Live Support Lead Generation Ai Services
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-13246 MEDIUM This Month

Stored Cross-Site Scripting in GiveWP versions up to and including 4.16.0 allows authenticated attackers with author-level WordPress access to inject persistent JavaScript payloads via the 'block_id' attribute of the 'givewp_campaign_comments' shortcode. The flaw originates in two code paths - CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render() - where the blockId value is interpolated directly into a single-quoted HTML attribute without WordPress's esc_attr() sanitization function. Any visitor loading an injected page will have the malicious script execute in their browser context. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

WordPress XSS Givewp Donation Plugin And Fundraising Platform
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12133 MEDIUM This Month

Arbitrary group deletion in the JoomSport WordPress plugin (versions ≤5.7.8) is achievable by any authenticated subscriber-level user due to a missing capability check in the joomsport_season_groupdel() AJAX handler. The handler validates a WordPress nonce - preventing CSRF - but never calls current_user_can() or equivalent, allowing any logged-in user to supply attacker-controlled group IDs to an unguarded DELETE query. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; real-world risk is bounded by the requirement for a valid WordPress account and the limited scope of impact (group record deletion only).

Authentication Bypass WordPress Joomsport For Sports
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-10513 HIGH This Week

Stored cross-site scripting in the Webmention WordPress plugin (versions up to and including 5.8.0) lets unauthenticated attackers persist malicious script through the public webmention REST endpoint, which a moderator or administrator then triggers simply by opening the affected comment's edit screen. Attacker-controlled MF2 'avatar' and 'url' author properties are stored and later echoed unescaped into HTML 'value' attributes, yielding script execution in a privileged admin session. No public exploit identified at time of analysis, and no EPSS or CISA KEV signal is present in the provided data.

WordPress XSS Webmention
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-8141 HIGH This Week

Stored cross-site scripting in the Ajax Load More - Filters WordPress plugin (all versions through 3.4.1) lets unauthenticated attackers persist arbitrary JavaScript via the 'taxonomy_include_children' parameter, which then executes in the browser of any user who loads an affected page. Wordfence rates it CVSS 7.2 with a changed scope, reflecting that injected script runs in the context of other site visitors and administrators. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

WordPress XSS Ajax Load More Filters
NVD VulDB
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-9711 CRITICAL Act Now

Unauthenticated SQL injection in the EventON WordPress Virtual Event Calendar plugin (versions through 5.0.11) lets remote attackers inject arbitrary SQL through the 'search' parameter, enabling extraction of database contents such as user credentials and secrets. Exploitation is gated by the non-default 'Enable additional search queries' setting being enabled and the presence of at least one published event. Reported by Wordfence with a CVSS of 9.8; no public exploit identified at time of analysis.

WordPress SQLi Eventon Pro Wordpress Virtual Event Calendar Plugin
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-12240 HIGH This Week

Arbitrary file deletion in the Export User Data plugin for WordPress (versions up to and including 2.2.6) allows an authenticated subscriber-level attacker to delete any file on the server, including wp-config.php, which can escalate to remote code execution. The flaw stems from unsafe deserialization of a PHP object embedded in a user's display name that is processed when an administrator exports user data. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation is gated by required administrator interaction.

WordPress Deserialization RCE PHP Export User Data
NVD VulDB
CVSS 3.1
8.0
EPSS
0.3%
CVE-2026-9576 MEDIUM POC PATCH This Month

Broken object-level authorization in the Fluent Booking WordPress plugin (all versions before 2.1.2) allows any user holding the Calendar Manager role to export attendee PII - including names, email addresses, phone numbers, physical addresses, and payment information - from calendar groups they do not own. The flaw resides in the plugin's attendee export endpoint, which accepts a caller-supplied group_id without verifying the requesting user's ownership of that group. A publicly available proof-of-concept exploit exists per WPScan reporting; however, this vulnerability is not listed in the CISA KEV catalog, indicating no confirmed broad exploitation. The CVSS score of 4.9 (Medium) reflects the high-privilege prerequisite, though the sensitivity of the exposed data - including payment details - elevates real-world business impact beyond what the numeric score alone suggests.

WordPress Information Disclosure Fluent Booking
NVD WPScan VulDB
CVSS 3.1
4.9
EPSS
0.1%
CVE-2026-11590 HIGH POC This Week

Unauthenticated SQL injection in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets remote attackers inject arbitrary SQL by abusing user-supplied array keys that are passed into a query without sanitization. Any unauthenticated visitor can extract sensitive database contents such as WordPress user records and password hashes. Publicly available exploit code exists, though EPSS rates exploitation probability low (0.18%, 7th percentile) and it is not on CISA KEV.

WordPress SQLi Wp Support Plus Responsive Ticket System
NVD WPScan VulDB
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-11589 HIGH POC This Week

Stored cross-site scripting in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets unauthenticated attackers upload files containing malicious JavaScript - such as HTML or SVG payloads - to a publicly accessible location, where the script executes in the browsers of site users and administrators who view it. The flaw stems from missing validation of uploaded file types/content. Publicly available exploit code exists (reported by WPScan), though it is not listed in CISA KEV and no EPSS score was provided.

WordPress XSS Wp Support Plus Responsive Ticket System
NVD WPScan VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-11581 MEDIUM POC PATCH This Month

Stored cross-site scripting in the Kali Forms WordPress plugin (before 2.4.13) allows Contributor-level users to inject arbitrary JavaScript into form field captions, which execute in an administrator's browser session when the admin views the form-entries screen. A compounding missing capability check in the plugin's post-duplication action enables the same low-privilege attacker to publish the malicious form without administrator approval, removing the dependency on an admin independently discovering the unpublished form. A publicly available exploit (via WPScan) exists, and the plugin vendor has released a patch in version 2.4.13. No CISA KEV listing is present, indicating no confirmed mass exploitation at time of analysis.

WordPress Information Disclosure Kali Forms Contact Form Drag And Drop Builder
NVD WPScan VulDB
CVSS 3.1
5.9
EPSS
0.2%
CVE-2026-12073 CRITICAL Act Now

Account takeover in the ProfileGrid - User Profiles, Groups and Communities WordPress plugin (all versions through 5.9.9.5) lets unauthenticated remote attackers hijack the site administrator account. The plugin fails to validate a `user_login` value on registration forms lacking that parameter and mishandles the resulting error messages, allowing an attacker to overwrite the email address of the user with ID=1 (typically the admin) and then trigger a password reset to seize full control. Reported by Wordfence with a 9.8 CVSS; no public exploit identified at time of analysis.

Authentication Bypass WordPress Privilege Escalation Profilegrid User Profiles Groups And Communities
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-11367 MEDIUM This Month

Arbitrary file write via directory traversal in the PixMagix WordPress Image Editor plugin (all versions through 1.7.2) allows any authenticated Author-level WordPress user to write attacker-controlled content to arbitrary filesystem paths accessible by the web server process. The vulnerability stems from unsanitized use of the `layers[].id` parameter inside the `move_image_on_server` function, which concatenates user input directly into a PHP `copy()` call without path validation. Because the `save_template` REST endpoint requires only the `create_projects` permission - automatically granted to Author-level users on plugin activation - any contributor-tier account can exploit this to plant PHP webshells and escalate to remote code execution. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.

WordPress Path Traversal Pixmagix Wordpress Image Editor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-12349 MEDIUM This Month

Unauthenticated sidebar manipulation in the Premium Addons for KingComposer WordPress plugin (versions up to and including 1.1.1) allows any remote attacker to create arbitrary custom widget areas or permanently delete existing ones without any credentials. The root cause is that the AJAX handlers add_custom_sidebar() and remove_custom_sidebar() are registered under wp_ajax_nopriv_* hooks with no authorization or capability checks, granting public HTTP access to options-table writes via update_option(). Deletion of sidebars silently breaks widget rendering site-wide, and no public exploit has been identified at time of analysis; no CISA KEV listing is present.

Authentication Bypass WordPress Premium Addons For Kingcomposer
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-12560 MEDIUM This Month

Stored Cross-Site Scripting in the Editorial Rating - Product Review & Rating System WordPress plugin (versions ≤ 4.0.5) enables authenticated administrators to inject persistent JavaScript payloads via the 'Link URL' field, which execute in any site visitor's browser upon loading an affected review page. The attack exploits a WordPress-specific sanitization bypass: because the payload is stored in post meta (_wpas_er_options via update_post_meta) rather than post_content or post_excerpt, WordPress's unfiltered_html capability exemption does not apply, meaning the restriction affects all administrators regardless of their unfiltered_html status. No public exploit has been identified at time of analysis and no active exploitation is confirmed; real-world risk is substantially constrained by the PR:H (administrator) prerequisite.

WordPress XSS Editorial Rating Product Review Rating System
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-8944 MEDIUM This Month

Cross-site request forgery in Plugin for Google Analytics by IO Technologies (WordPress) versions up to and including 1.1 allows unauthenticated remote attackers to overwrite the site's Google Analytics tracking ID by tricking a logged-in administrator into clicking a crafted link. The flaw stems from absent nonce validation on the ga.php settings handler, meaning forged POST requests bypass WordPress's standard CSRF protections entirely. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 4.3 reflects the required administrator interaction and limited integrity-only impact.

WordPress CSRF PHP Google Plugin For Google Analytics By Io Technologies
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-12114 MEDIUM This Month

Persistent script injection in the Team Members - Multi Language Supported Team Plugin for WordPress (all versions through 8.7) enables authenticated administrators to embed malicious JavaScript into site pages via insufficient sanitization and escaping in admin settings fields, with injected payloads executing silently for every subsequent page visitor. The vulnerability is constrained to two non-default deployment scenarios: WordPress multisite network installations and single-site installations where the unfiltered_html capability has been explicitly revoked from administrators - standard single-site installs are unaffected. No active exploitation has been confirmed (not in CISA KEV) and no public proof-of-concept exists, placing real-world risk well below what the scope-changed CVSS vector might initially suggest.

WordPress XSS Team Members Multi Language Supported Team Plugin
NVD
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-57341 MEDIUM This Month

Unauthenticated IDOR in Colissimo Officiel : Méthodes de livraison pour WooCommerce (versions ≤ 2.9.0) exposes shipping-related backend objects to manipulation by remote, unauthenticated attackers. Missing server-side authorization on object lookups allows adversaries to reference records belonging to other users, producing low integrity and availability impacts on WooCommerce shipping data with no confidentiality breach. No public exploit code or active exploitation has been identified at time of analysis, and no patched version number was independently confirmed in the available intelligence.

Authentication Bypass WordPress Colissimo Officiel
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57340 MEDIUM This Month

Unauthenticated broken access control in the Japanized For WooCommerce WordPress plugin (versions <= 2.9.12) allows remote unauthenticated attackers to bypass authorization checks and perform restricted operations, resulting in limited integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, lowering the exploitation barrier significantly for any exposed WordPress site running this plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low complexity and zero-privilege requirement make this accessible to unsophisticated attackers.

Authentication Bypass WordPress Japanized For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57332 HIGH This Week

Improper authorization in the Wallet System for WooCommerce WordPress plugin (versions 2.7.6 and earlier) lets low-privileged authenticated users — subscriber-level accounts — perform wallet actions reserved for higher roles, enabling manipulation of stored wallet balances and transactions. The flaw, reported by Patchstack and tracked as CWE-862 (Missing Authorization), carries a 7.1 (High) CVSS score driven by high integrity impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress Wallet System For Woocommerce
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57329 MEDIUM This Month

Stored Cross-Site Scripting in WooCommerce Designer Pro (WordPress plugin) versions 1.9.34 and earlier allows authenticated subscribers to inject malicious scripts that execute in the browsers of other users, including administrators. The scope change (S:C in CVSS) indicates injected payloads can cross privilege boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the subscriber-level entry point lowers the bar for exploitation on any site permitting account registration.

WordPress XSS Woocommerce Designer Pro
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-9676 MEDIUM POC PATCH This Month

The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.

WordPress CSRF F4 Post Tree
NVD WPScan VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-10083 HIGH POC PATCH NEWS This Week

The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input (e.g. a transient name created by another APCu Manager WordPress plugin before 4.5.0 from an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page.

WordPress XSS Apcu Manager
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-8095 HIGH This Week

Authenticated arbitrary file deletion in the Frontend File Manager Plugin (nmedia-user-file-uploader) for WordPress versions through 23.6 lets Subscriber-level users delete any file on the server, including wp-config.php, which can cascade into full site takeover. The flaw stems from a case-sensitivity gap in input sanitization within the wpfm_file_meta_update AJAX handler that allows attacker-controlled paths to reach unlink() unchecked. Reported by Wordfence with a CVSS of 8.1; no public exploit identified at time of analysis and the issue is not on CISA KEV.

WordPress Information Disclosure PHP
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-12399 MEDIUM This Month

Stored Cross-Site Scripting in the Gutenverse WordPress Blocks, Page Builder & Site Editor plugin (all versions through 3.8.0) enables authenticated editor-level users to persist arbitrary JavaScript into pages served to any site visitor. The vulnerability is constrained to WordPress multi-site installations or single-site deployments where unfiltered_html has been explicitly disabled. No public exploit has been identified at time of analysis, and a upstream fix commit (changeset 3578328) has been published to the WordPress plugin repository.

WordPress XSS Gutenverse Wordpress Blocks Page Builder Site Editor
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-3462 MEDIUM This Month

Unauthorized data modification in the Frisbii Pay WordPress plugin (versions up to and including 1.8.9) allows authenticated attackers at Subscriber level or above to overwrite WooCommerce payment tokens, postmeta, and order meta records via unprotected AJAX endpoints. The root cause is CWE-862 (Missing Authorization) - the plugin's `upload_csv` and `process_batch` functions in the `MigrationMobilepayToVipps` class perform no WordPress capability checks before processing caller-supplied CSV data. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low privilege barrier (Subscriber) makes it meaningful in multi-tenant or open-registration WordPress environments.

Authentication Bypass WordPress Frisbii Pay
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-12432 MEDIUM This Month

Payment record manipulation in the WP Full Stripe Free WordPress plugin (versions ≤ 8.4.3) allows unauthenticated remote attackers to overwrite payment status in the site database. The vulnerability stems from the wpfs_update_failed_payment_status AJAX handler being registered under both wp_ajax_ and wp_ajax_nopriv_ hooks with zero authorization controls - no capability check, no nonce, no session validation - enabling any caller to invoke it. An attacker who has legitimately initiated a checkout on the target site (and thereby obtained a Stripe Payment Intent ID from the browser-visible Stripe.js flow) can send a crafted POST request to mark a previously successful payment as failed, potentially blocking order fulfillment, triggering disputes, or corrupting financial records. No public exploit code has been identified at the time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Stripe Payment Forms By Wp Full Pay Accept Credit Card Payments Donations Subscriptions
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-11597 MEDIUM This Month

Stored Cross-Site Scripting in the Surbma | Infusionsoft Shortcode WordPress plugin (versions ≤ 2.0.1) allows authenticated contributors to inject persistent malicious scripts that execute in any visitor's browser. The flaw originates in the surbma_infusionsoft_shortcode_shortcode() function, where the 'account' and 'id' shortcode attributes are concatenated without sanitization directly into a <script> tag's src attribute - a particularly dangerous injection point because it bypasses many output-escaping checks that target HTML attribute or element contexts. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.

WordPress XSS Surbma Infusionsoft Shortcode
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-13295 MEDIUM This Month

Stored Cross-Site Scripting in the Page Builder by SiteOrigin WordPress plugin (all versions through 2.34.3) allows authenticated contributors to persist arbitrary JavaScript into post meta and execute it in any visitor's browser. The vulnerability bypasses WordPress's native content-filtering mechanisms because panels_data is stored as raw post meta rather than post content, placing it outside the scope of the unfiltered_html capability carve-out and the wp_kses fallback that would otherwise sanitize WP_Widget_Custom_HTML widget content. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor level) makes this a realistic threat on any multi-author or open-registration WordPress installation.

WordPress XSS Page Builder By Siteorigin
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12471 MEDIUM This Month

Unauthorized plugin activation in the Spexo WordPress theme (all versions through 2.0.11) is possible due to a missing capability check on the theme's activate_plugin function, exposing sites to integrity compromise by low-privileged authenticated users. Attackers holding Subscriber-level accounts or higher can trigger plugin activation outside of WordPress's native authorization controls, bypassing the intended administrator-only restriction. No public exploit code or active exploitation has been identified at time of analysis, and no EPSS data was provided.

Authentication Bypass WordPress Spexo
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-11773 MEDIUM This Month

Authorization bypass in the Masteriyo LMS WordPress plugin (all versions through 2.2.1) allows authenticated users with student-level access to overwrite the post content of course announcements created by instructors or administrators. The flaw is rooted in missing authorization checks (CWE-862) inside the CourseAnnouncementController addon, meaning any enrolled student can tamper with official communications - exam instructions, policy notices, deadlines - without being detected by the LMS. No public exploit code or active exploitation has been identified at time of analysis; CVSS rates this 4.3 (Medium) reflecting limited integrity-only impact with no confidentiality or availability consequence.

Authentication Bypass WordPress Masteriyo Lms Lms Course Builder Quizzes Certificates
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-9233 MEDIUM This Month

Authorization bypass in the Quiz and Survey Master (QSM) WordPress plugin (all versions through 11.1.4) allows authenticated contributors to create, modify, and delete quiz output templates in the mlw_quiz_output_templates database table without proper capability checks. Because template content is stored without sanitization, this grants contributor-level users the practical ability to inject arbitrary script tags into templates viewable by higher-privileged users such as administrators. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the low privilege requirement makes this accessible to any registered contributor on affected WordPress installations.

Authentication Bypass WordPress Quiz And Survey Master Qsm Easy Quiz And Survey Maker
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-11364 MEDIUM This Month

Unauthorized taxonomy manipulation in the Product Specifications for WooCommerce WordPress plugin (versions up to and including 0.8.9) exposes AJAX endpoints that any authenticated subscriber can invoke without authorization checks or CSRF protection, enabling arbitrary creation, modification, and deletion of product specification groups and attributes. The affected AJAX actions 'dwps_modify_groups' and 'dwps_modify_attributes' - bound to the __invoke() methods of AttributeGroupController and AttributeController - operate on 'spec-group' and attribute taxonomy terms, meaning successful exploitation directly corrupts WooCommerce store business data and breaks frontend product display. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

Authentication Bypass WordPress Product Specifications For Woocommerce
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-11783 MEDIUM This Month

Stored Cross-Site Scripting in the Dokan WooCommerce Multivendor Marketplace plugin for WordPress (all versions through 5.0.4) allows any authenticated vendor-level user to permanently inject arbitrary JavaScript into product SKU fields, which then executes in the browsers of all site visitors - including unauthenticated users - via the store search widget's AJAX response path. The scope change (S:C in CVSS) is critical: the attacker plants the payload once as a vendor, but impact is borne by an unbounded population of end users who trigger the search widget. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; however, the attack surface is wide on marketplaces with open vendor registration.

WordPress XSS Dokan
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-9242 MEDIUM This Month

Authentication bypass in the RegistrationMagic WordPress plugin (all versions through 6.0.8.6) permits an unauthenticated attacker with a prior legitimate payment transaction on the target site to obtain real WordPress session cookies for any user account, including administrators. The flaw exploits a fatally inverted processing order in the PayPal IPN callback handler: attacker-controlled POST data including the target user_id is written to the payment log database before PayPal IPN validation is performed, and the database poisoning persists even after validation subsequently rejects the forged notification. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the account-takeover impact makes this a critical priority for any site running the plugin with active PayPal payment integration.

WordPress Authentication Bypass Registrationmagic Custom Registration Forms User Registration Payment And User Login
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-11987 MEDIUM This Month

Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace plugin (all versions through 5.0.4) enables horizontal privilege escalation across vendor accounts via the REST API 'id' parameter. Authenticated attackers holding any vendor-level or subscriber-level account can retrieve full product records belonging to competing vendors, including unpublished draft and pending-review listings that expose product names, prices, SKUs, and descriptions. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Authentication Bypass WordPress Dokan
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-9677 MEDIUM This Month

The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

WordPress XSS
NVD WPScan VulDB
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-13245 MEDIUM This Month

Reflected Cross-Site Scripting in the MaxButtons - Create buttons WordPress plugin (versions up to and including 9.8.5) allows unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'view' parameter, executing in the victim's browser context when a crafted URL is clicked. The flaw is traced to insufficient input sanitization in listController.php and maxbuttons-list.php, as confirmed by Wordfence and source-level references in the WordPress plugin repository. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low attack complexity and zero-privilege requirement make social-engineering-based exploitation straightforward.

WordPress XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-12404 MEDIUM This Month

Unauthenticated form submission data exfiltration in NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) exposes sensitive PII and payment details to any remote attacker. Missing authorization checks on report download endpoints allow sequential enumeration of report IDs without any credentials, enabling mass harvesting of names, email addresses, phone numbers, postal addresses, payment details, and file paths from every saved form report on the site. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the low attack complexity and zero authentication requirement make opportunistic exploitation straightforward.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-10820 HIGH PATCH This Week

Broken access control (Insecure Direct Object Reference) in the Paid Member Subscriptions WordPress plugin before 4.16.17 lets any authenticated low-privileged user (Subscriber or above) cancel arbitrary other users' active subscriptions by manipulating the subscription identifier in a subscription-action request. The plugin fails to verify that the requesting account owns the targeted subscription. No public exploit identified at time of analysis, EPSS is low at 0.14% (3rd percentile), and the issue is not in CISA KEV, but the attack is trivial to perform once any account exists on the site.

WordPress Information Disclosure
NVD WPScan VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-12415 CRITICAL POC Act Now

Account takeover in the Invoice Generator (Pravel) plugin for WordPress through version 1.0.0 lets unauthenticated attackers hijack any account, including administrators. The pravel_invoice_edit_account() AJAX handler is registered for unauthenticated users and calls wp_update_user() with attacker-supplied user_id and user_email without any capability check, nonce, or ownership verification, so an attacker can overwrite an admin's email and then drive the password-reset flow to seize the account. Rated CVSS 9.8 and reported by Wordfence; no public exploit identified at time of analysis and it is not in CISA KEV.

Privilege Escalation WordPress Invoice Generator
NVD VulDB GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-13422 MEDIUM This Month

Cross-Site Request Forgery in the HD Quiz WordPress plugin versions 2.2.0 and 2.2.1 enables unauthenticated attackers to manipulate quiz content and plugin settings by tricking a logged-in administrator into clicking a crafted link. The flaw originates in the `hdq_validate_nonce` function (`includes/functions.php:39`), which fails to properly validate WordPress nonces across at least six distinct AJAX action handlers in `includes/actions-ajax.php`. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though Wordfence has published a detailed advisory with source code references for both affected versions.

WordPress CSRF Hd Quiz
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-11356 MEDIUM This Month

Stored cross-site scripting in Ivory Search - WordPress Search Plugin (all versions through 5.5.15) allows authenticated WordPress administrators to implant persistent JavaScript payloads via the `menu_title` and `menu_magnifier_color` settings fields, which execute in the browsers of any site visitor loading a page that renders the affected search widget. The root cause is insufficient input sanitization and output escaping in both the admin settings handler (class-is-settings-fields.php:249) and public-facing output routines (class-is-public.php:222, 263, 1199), confirmed via plugin source references on WordPress Trac. No public exploit code has been identified at time of analysis, CISA KEV does not list this CVE, and the CVSS score of 4.4 reflects the high privilege prerequisite rather than the cross-site impact scope.

WordPress XSS Ivory Search Wordpress Search Plugin
NVD VulDB
CVSS 3.1
4.4
EPSS
0.3%
CVE-2026-13333 MEDIUM This Month

SQL Injection in the Groundhogg WordPress CRM plugin (all versions through 4.5.5) allows authenticated attackers holding Sales Representative-level access or above to extract arbitrary data from the underlying WordPress database via the `query[select]` REST API parameter. The vulnerability is exploitable through a deliberate sanitization bypass: submitting an invalid filter type in `query[filters]` triggers a FilterException that silently redirects execution from the protected `Contact_Query` path to the unprotected `Legacy_Contact_Query` path. No CISA KEV listing or confirmed public exploit code exists at time of analysis, though Wordfence's advisory directly references vulnerable source lines at plugin version 4.5.5, materially lowering the barrier to independent PoC development.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13335 MEDIUM This Month

Stored Cross-Site Scripting in the CodePeople Post Map for Google Maps WordPress plugin (versions through 1.2.6) permits authenticated Contributor-level users to persist malicious JavaScript payloads via the 'cpm_point' post meta field. The CVSS S:C (Scope Changed) flag confirms the injected scripts execute in victim browser sessions beyond the plugin's own context, enabling session hijacking, credential theft, or unauthorized admin actions against any user who visits an injected page. No confirmed active exploitation appears in CISA KEV, and no public exploit code has been identified at time of analysis.

WordPress XSS Google Codepeople Post Map For Google Maps
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-13331 MEDIUM This Month

SQL injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin exposes the underlying WordPress database to authenticated attackers holding marketer-level access or higher. The 'search' parameter is insufficiently escaped across at least five distinct code paths - spanning db/db.php, db/steps.php, and api/v4/base-object-api.php - allowing appended SQL payloads to exfiltrate sensitive data including contact records, campaign data, and potentially WordPress user credentials. No public exploit code or CISA KEV listing has been identified at the time of analysis, but the vulnerability is straightforward to exploit with valid credentials given the low complexity rating.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57664 MEDIUM This Month

Sensitive data exposure in the Bopo - WooCommerce Product Bundle Builder plugin for WordPress (versions ≤ 1.1.6) allows low-privileged authenticated users to access information that should be restricted to higher-trust roles. The flaw is classified under CWE-497, indicating the plugin exposes sensitive system or application data to an unauthorized control sphere - likely via an improperly protected REST API endpoint or AJAX action lacking appropriate capability checks. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-57637 MEDIUM This Month

Cross-Site Request Forgery in the Abandoned Cart Lite for WooCommerce WordPress plugin (versions 6.8.0 and below) enables unauthenticated remote attackers to perform unauthorized state-changing actions by luring an authenticated site user into visiting a malicious page. The CVSS score of 4.3 (Medium) reflects a limited integrity impact with no confidentiality or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress CSRF
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Stored XSS in the yootheme WordPress theme before version 5.0.35 enables users holding the Author role to inject persistent malicious scripts into posts by exploiting a sanitization gap between WordPress's wp_kses_post() filter and the theme's bundled front-end framework, which interprets certain permitted HTML attributes as executable markup. Any visitor - including site administrators - who views an affected post triggers script execution in their browser, creating a realistic privilege escalation path on multi-author WordPress sites. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; vendor patch version 5.0.35 is confirmed via WPScan advisory.

WordPress XSS
NVD WPScan VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) lets unauthenticated attackers persist arbitrary JavaScript via the '_name[]' array parameter, which then runs in the browser of any user who views the injected page. The flaw is notable because the plugin's own wp_kses() allow-list (NEXForms_allowed_tags()) deliberately whitelists <script>, <iframe src/srcdoc>, and JS event handlers, so the normal output-filtering layer provides no protection. No public exploit identified at time of analysis; the issue was reported by Wordfence and carries a CVSS 7.2 with a changed scope.

WordPress XSS Nex Forms Ultimate Forms Plugin For Wordpress
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation to Administrator in the LatePoint booking plugin for WordPress (versions up to and including 5.6.3) lets an authenticated Agent-level user hijack any WordPress account by abusing an Insecure Direct Object Reference in OsOrdersController::create_or_update(). By supplying an arbitrary order[customer_id], an attacker overwrites the email of any LatePoint customer - including one tied to a WordPress Administrator - and then logs in as that user because OsAuthHelper::authorize_customer() never checks the linked account's role. Reported by Wordfence and rated CVSS 8.8; no public exploit identified at time of analysis and it is not on CISA KEV, though the root-cause code paths are pinpointed in public plugin source.

Privilege Escalation WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in WP Photo Album Plus (WordPress plugin, all versions through 9.1.13.005) allows contributor-level authenticated attackers to inject persistent JavaScript payloads via the unsanitized 'subtext' parameter of the [photo] shortcode. The CVSS scope change (S:C) is the critical amplifier: a low-privileged contributor can embed malicious shortcodes in posts submitted for editorial review, causing the stored payload to execute in administrator browser sessions when the content is previewed - enabling session hijacking and potential full site takeover. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and common WordPress contributor registration practices make this a realistic threat on affected installations.

WordPress XSS Wp Photo Album Plus
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in VikBooking Hotel Booking Engine & PMS plugin for WordPress (all versions through 1.8.12) allows unauthenticated remote attackers to inject arbitrary JavaScript into victims' browsers by tricking them into clicking a crafted URL. The vulnerable `layoutstyle` parameter is insufficiently sanitized before being rendered in the roomslist view template, enabling session hijacking, credential theft, or malicious redirects against authenticated site users such as hotel administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, and a patched version (1.8.13) is available per plugin Trac references.

WordPress XSS Vikbooking Hotel Booking Engine Pms
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection in the MotoPress Appointment Booking WordPress plugin (versions ≤ 2.4.5) allows authenticated attackers holding the mpa_appointment_employee custom role to append arbitrary SQL to booking search queries via the 's' parameter, enabling full read access to the underlying WordPress database. The vulnerability originates in ManageBookingsPage.php at two separate query-construction points (lines 247 and 310), where user-supplied input is neither escaped nor parameterized. No public exploit code or active exploitation has been identified at time of analysis, and the EPSS signal was not supplied; however, the Wordfence intelligence report and a confirmed upstream fix commit indicate the issue is credibly documented.

WordPress SQLi Motopress Appointment Booking
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation via Cross-Site Request Forgery in the RegistrationMagic WordPress plugin (all versions through 6.0.9.1) lets a remote attacker promote an arbitrary form submitter to administrator by forging a request to the process_request function, which lacks proper nonce validation. The attack plants a malicious Chronos automation task that later runs through WordPress cron, and it succeeds when a logged-in administrator is tricked into clicking an attacker-supplied link. No public exploit identified at time of analysis, and it is not listed in CISA KEV; risk is driven by the plugin's install base and the low technical bar of CSRF.

WordPress CSRF Registrationmagic Custom Registration Forms User Registration Payment And User Login
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the WordPress Download Manager plugin (all versions through 3.3.60) allows authenticated contributors to persistently inject arbitrary JavaScript via the `no_data_msg` shortcode attribute, executing in any subsequent visitor's browser context. The vulnerability exploits a bypass in WordPress's `wp_kses_post` sanitization: the filter strips disallowed HTML tokens at save time but does not neutralize C-style escape sequences embedded in shortcode attribute values, which are silently reconstructed into raw `<script>` tags at render time. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the deliberate evasion technique elevates risk on multi-contributor WordPress deployments.

WordPress XSS Download Manager
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Account-takeover privilege escalation in the SMS Alert - SMS & OTP for WooCommerce WordPress plugin (versions up to and including 3.9.5) lets unauthenticated remote attackers change any user's email address and trigger a password reset, seizing administrator accounts. The flaw stems from the OTP-based password-reset flow failing to verify the requester's identity before updating account details. No public exploit has been identified at time of analysis, though the issue was disclosed by Wordfence and carries a 9.8 CVSS rating.

Authentication Bypass WordPress Privilege Escalation +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized private content disclosure in the Slim SEO WordPress plugin (all versions through 4.9.8) allows authenticated Contributors to read protected content they do not own via the `/wp-json/slim-seo/meta-tags/ai` REST API endpoint. The endpoint's broken object-level authorization - checking only the generic `edit_posts` capability rather than per-post read access - lets any Contributor supply an arbitrary post ID and receive an AI-generated summary of that post's raw content, including private, draft, pending, future, and password-protected posts authored by other users. No public exploit or CISA KEV listing is identified at time of analysis; real-world risk is constrained by the requirement for a pre-existing Contributor-level account.

WordPress Information Disclosure Slim Seo A Fast Automated Seo Plugin For Wordpress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the Qi Blocks WordPress plugin (all versions ≤ 1.4.9) allows any authenticated user with Author-level access to overwrite the stored global styles of arbitrary posts, templates, or widgets they do not own by manipulating the unvalidated 'page_id' parameter. Critically, the reserved 'template' and 'widget' page_id values expose site-wide surfaces, enabling an Author to deface, hide content on, or visually degrade any page across the entire WordPress installation. The permission_callback validates only generic edit_posts and publish_posts capabilities rather than post ownership, meaning the built-in Author role is sufficient for exploitation. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis.

Authentication Bypass WordPress Qi Blocks
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Motors - Car Dealership & Classified Listings Plugin for WordPress allows authenticated subscriber-level users to arbitrarily mark any other user's vehicle listing as sold by replaying a harvested nonce against a victim's post ID. All plugin versions up to and including 1.4.111 are affected. An attacker exploiting this flaw can silently deface competitor or victim listings with a site-wide 'Sold' badge while also stripping the `special_car` featured post meta, causing business harm on dealership or classifieds sites. No public exploit has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Motors Car Dealership Classified Listings Plugin
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the LearnPress WordPress LMS plugin (versions up to and including 4.4.0) allows authenticated contributors to permanently inject arbitrary JavaScript into WordPress pages via the unescaped 'class_wrapper_form' shortcode attribute. The payload persists in the database and executes in the browser of any visitor - including administrators - who loads the affected page, enabling session hijacking, credential harvesting, or privilege escalation through forged admin actions. No CISA KEV listing or public exploit code has been identified at time of analysis, but the Wordfence advisory includes precise code-level references that substantially lower the bar for independent reproduction.

WordPress XSS Learnpress Wordpress Lms Plugin For Create And Sell Online Courses
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Dokan Pro WooCommerce multivendor plugin for WordPress (all versions through 5.0.4) allows an authenticated vendor-level attacker to grant themselves or a controlled vendor_staff account the WordPress administrator capability, resulting in full site takeover. The flaw stems from the update_capabilities() REST handler accepting arbitrary capability strings with no allowlist, only checking for the dokandar capability. No public exploit has been identified at time of analysis, and no EPSS or KEV signals were supplied; however, the issue is reported by Wordfence and exploitation is straightforward on sites where the Vendor Staff module is enabled and vendor self-registration is permitted.

Privilege Escalation WordPress Dokan Pro
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Missing authorization on an AJAX endpoint in the Salon Booking System WordPress plugin (all versions before 10.30.20) allows any authenticated subscriber-level user to modify plugin settings and disable the manual approval workflow for new bookings. A publicly available proof-of-concept exists per WPScan's disclosure, making exploitation straightforward for any registered user on affected sites. No public exploitation (CISA KEV) has been confirmed, and SSVC assessment classifies technical impact as partial with exploitation not yet automated.

WordPress Authentication Bypass Salon Booking System
NVD WPScan VulDB
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

Two-factor authentication bypass in the WebAuthn Provider for Two Factor WordPress plugin (all versions before 2.5.6) lets an attacker who already possesses a valid user's password defeat the WebAuthn second factor by submitting a malformed authentication response that the plugin fails to validate. This neutralizes the plugin's core protection, effectively reducing account security back to single-factor (password-only). Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as being used in active attacks and the issue is not listed in CISA KEV.

WordPress Authentication Bypass Webauthn Provider For Two Factor
NVD WPScan VulDB
EPSS 0% CVSS 3.1
LOW POC PATCH Monitor

Subscription cancellation authorization bypass in the Fluent Forms WordPress plugin (all versions before 6.2.1) permits any authenticated low-privilege user to cancel subscriptions belonging to other site members by submitting a crafted request referencing a victim's subscription identifier. The plugin fails to verify that the requesting user owns the referenced subscription before processing the cancellation, a classic Insecure Direct Object Reference (IDOR) pattern. A public proof-of-concept is available via WPScan; no confirmed active exploitation campaign (CISA KEV) has been identified at time of analysis, and the CVSS base score of 3.1 reflects the limited, integrity-only impact.

WordPress Information Disclosure Fluent Forms
NVD WPScan VulDB
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Privilege escalation in the Advanced Form Integration - Connect Forms to 200+ Apps WordPress plugin before 2.1.1 allows unauthenticated visitors to provision a full administrator account through a public form. Because the plugin fails to restrict which WordPress role it assigns during user creation, any site that maps the user-role field to a public form input via an active integration exposes site takeover to anonymous submitters. Publicly available exploit code exists (reported by WPScan), though this is not listed in CISA KEV and requires a specific non-default integration configuration, so real-world exposure is narrower than the 8.1 CVSS suggests.

WordPress Information Disclosure Advanced Form Integration Connect Forms To 200 Apps
NVD WPScan VulDB
EPSS 0% CVSS 4.2
MEDIUM POC PATCH This Month

Stored Cross-Site Scripting in the User Submitted Posts WordPress plugin before version 20260608 enables unauthenticated attackers to inject persistent malicious scripts into admin-configured display templates. The vulnerability is only reachable when a site administrator has enabled a non-default display option in the plugin settings, limiting its real-world exposure. A publicly available proof-of-concept exploit exists per WPScan, though no active exploitation has been confirmed by CISA KEV at time of analysis.

WordPress XSS User Submitted Posts
NVD WPScan VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Unauthenticated information disclosure in the Product Configurator for WooCommerce WordPress plugin (versions before 1.7.3) exposes sensitive product data through a public AJAX action that skips authorization and post-status checks. By supplying only a product ID, remote unauthenticated users can read titles, prices, weights, stock status, and configurator option pricing/SKUs of private and draft products, bypassing WordPress post-visibility controls. Publicly available exploit code exists (reported by WPScan), though there is no indication of active exploitation.

WordPress Authentication Bypass Product Configurator For Woocommerce
NVD WPScan VulDB
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

Missing capability check in WS Form LITE WordPress plugin before 1.11.8 allows any authenticated subscriber-level WordPress user to modify the plugin's settings, an action that should be restricted to administrators. The CVSS vector (PR:L) confirms low-privilege authentication is sufficient, and a publicly available proof-of-concept has been documented by WPScan. No active exploitation has been confirmed by CISA KEV, but the low barrier to exploitation and available POC make this a credible risk on multi-user WordPress installations where untrusted subscribers exist.

WordPress Information Disclosure Ws Form Lite
NVD WPScan VulDB
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

Broken access control in the Royal MCP WordPress plugin before 1.4.26 lets any authenticated low-privileged user (e.g. Subscriber) invoke privileged MCP tools that skip capability checks after token authentication, exposing private content, full user/role enumeration, and create/modify/delete operations on other users' content. Reported by WPScan with a publicly available exploit and a vendor patch in 1.4.26; the CVSS 8.1 vector (PR:L) confirms authenticated but not administrative access is required. There is no public exploit identified as actively exploited - status is POC only, not CISA KEV.

WordPress Information Disclosure Royal Mcp
NVD WPScan VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the Ninja Forms WordPress plugin (all versions through 3.14.1) lets unauthenticated remote attackers read stored form submissions via the 'ninja-forms-views/token/refresh' REST callback, which lacks an authorization check. Because Ninja Forms submissions frequently capture PII, contact details, and other sensitive user-entered data, this exposes potentially confidential information to anyone who can reach the site. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-auth nature makes it straightforward to abuse.

Authentication Bypass WordPress Ninja Forms The Contact Form Builder That Grows With You
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in the BookingPress Appointment Booking Pro WordPress plugin (versions up to and including 5.7.1) allows unauthenticated attackers to inject SQL through the 'store_service_date' POST parameter of the bpa_assign_staffmember_to_slots() function, enabling extraction of sensitive database contents such as user credentials and PII. The flaw stems from stripslashes_deep() being applied to user input before it is concatenated directly into a LIKE clause without $wpdb->prepare(). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; no EPSS score was provided in the input.

WordPress SQLi Bookingpress Appointment Booking Pro
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in JetWidgets For Elementor (versions up to and including 1.0.21) allows authenticated WordPress users holding author-level access or higher to plant persistent JavaScript payloads by supplying unsanitized input to the Animated Box widget's animation_effect parameter, which is written directly into an HTML class attribute without output escaping or server-side validation. Any site visitor who loads an injected page triggers the payload, enabling session hijacking, credential theft, or administrative account takeover through privilege escalation within the victim's browser context. No public exploit has been identified at time of analysis and the CVE does not appear in CISA KEV; however, a fix has been committed to the WordPress plugin repository.

WordPress XSS Jetwidgets For Elementor
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL Act Now

Arbitrary file deletion in the WP-BusinessDirectory (Business Directory) plugin for WordPress (versions ≤ 4.0.1) lets unauthenticated remote attackers delete any file the web server can access, including wp-config.php. The flaw stems from the frontend-accessible task=upload.remove endpoint accepting an unsanitized _filename parameter that permits ../ path traversal. No public exploit is identified at time of analysis, but the CVSS 9.1 rating and trivial exploitation (network, no auth, no user interaction) make it high priority; deleting wp-config.php can force WordPress into its installer, enabling site takeover.

WordPress Path Traversal PHP +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

CRLF injection in WPForms plugin for WordPress (all versions up to and including 1.10.2) enables unauthenticated attackers to silently blind-copy all site notification emails to an attacker-controlled address. The flaw originates from `get_reply_to_address()` applying the wrong smart-tag expansion context, allowing CR/LF characters preserved by `wpforms_sanitize_textarea_field()` to pass unstripped into raw mail header concatenation. Exploitation requires a specific non-default site configuration but demands no authentication or elevated interaction beyond a standard form submission; no public exploit code or CISA KEV listing has been identified at time of analysis.

WordPress Authentication Bypass Wpforms Ai Form Builder For Wordpress Contact Forms Payment Forms Survey Form Quiz More
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Course enrollment data exposure in LearnPress WordPress LMS plugin (all versions through 4.3.9.1) enables authenticated subscribers to read the course progress and completion records of any instructor or administrator by supplying an arbitrary value to the `userId` REST API parameter. The lazy load controller accepts the caller-supplied key without verifying ownership, bypassing authorization for LP_TEACHER_ROLE and administrator accounts while a partial guard correctly blocks subscriber-to-subscriber cross-access. No public exploit code or active exploitation has been identified at time of analysis, but exploitation requires only a subscriber-level account, making the real-world barrier low on sites with open user registration.

Authentication Bypass WordPress Learnpress Wordpress Lms Plugin For Create And Sell Online Courses
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in GiveWP - Donation Plugin and Fundraising Platform (versions up to and including 4.15.3) allows unauthenticated remote attackers to disable donation email notifications by tricking a logged-in administrator into clicking a crafted link. The root cause is absent nonce validation in the give_set_notification_status_handler() AJAX handler, permitting forged state-changing requests. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog; however, the integrity impact - silently disabling donation notifications - could cause operational blind spots for nonprofit or fundraising site operators.

WordPress CSRF Givewp Donation Plugin And Fundraising Platform
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Event Organiser WordPress plugin (all versions through 3.12.9) allows an authenticated attacker with Contributor-level access or higher to inject arbitrary JavaScript via the unescaped 'no_events' parameter of the 'eo_events' shortcode. The payload persists server-side and executes in any visitor's browser when they load a page containing the injected shortcode with no matching events. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the low authentication bar (Contributor) makes this a meaningful risk on multi-author WordPress sites.

WordPress XSS Event Organiser
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Sensitive PII exposure in the Appointment Booking Calendar WordPress plugin (versions up to and including 1.4.02) allows any authenticated user with contributor-level access to retrieve customer booking records - including names, email addresses, phone numbers, and appointment comments - via the unprotected `cpabc_appointments_filter_list` AJAX action. The root cause is CWE-862 (Missing Authorization): the endpoint performs no capability check before returning data, meaning the attacker's only prerequisite is a valid WordPress login at contributor tier or above. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, but a source-level fix appears committed in the plugin's SVN repository (changeset 3581633).

Authentication Bypass WordPress Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Custom Payment Gateways for WooCommerce WordPress plugin (all versions through 2.1.0) lets unauthenticated guests plant persistent JavaScript by submitting a crafted checkout POST request via the 'alg_wc_cpg_input_fields' parameter. The injected script executes in the browser of any user - including store administrators - who later views the affected page, enabling session/account compromise in the WordPress admin context. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV, but the unauthenticated, no-configuration-required attack path makes it materially exploitable against default installs.

WordPress XSS Custom Payment Gateways For Woocommerce
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in FV Flowplayer Video Player (all WordPress plugin versions up to and including 7.5.51.7212) allows authenticated contributors to permanently inject arbitrary JavaScript via the unsanitized `align` attribute of the `[video_player]` shortcode. The payload persists in the WordPress database and executes in the browser of every user who subsequently visits any page containing the injected shortcode, enabling session hijacking, credential harvesting, or further site compromise. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis, though the stored nature of this XSS amplifies real-world risk relative to reflected variants.

WordPress XSS Fv Flowplayer Video Player
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in the Taskbuilder Project Management plugin for WordPress (versions ≤5.0.8) enables any authenticated user-including those with only subscriber-level access-to exfiltrate sensitive data from the WordPress database. The vulnerability exists in the `wppm_proj_filter` parameter handled by `wppm_view_project_tasks.php`, which lacks both proper SQL escaping and prepared statement usage. Compounding the risk, the `wp_ajax_wppm_view_project_tasks` AJAX handler performs no nonce verification, meaning the vulnerable code path is reachable by any authenticated WordPress session without additional preconditions. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

WordPress SQLi Taskbuilder Project Management Task Management Tool With Kanban Board
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Arbitrary zero-argument PHP function invocation in the Youtube Showcase (Video Gallery - YouTube Gallery, Playlist & Video Grid) plugin for WordPress affects all versions up to and including 4.0.3, letting authenticated Subscriber-level users abuse the emd_delete_file() AJAX handler to call any callable PHP function name with no arguments. Because the handler validates only a nonce and omits a current_user_can() capability check, low-privileged accounts can trigger functions such as phpinfo(), get_defined_vars(), or error_get_last() to disclose sensitive server and application data. No public exploit identified at time of analysis and the issue is not in CISA KEV, so risk is currently theoretical but credible given the low privilege bar.

WordPress LFI Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in Wp Google Places Review Slider (WordPress plugin, versions ≤ 18.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unsanitized `place` GET parameter in `admin/partials/googlecrawl_dfs.php`. The raw user input is URL-decoded and passed through `stripslashes()` before being echoed directly into an HTML value attribute — bypassing WordPress's standard `esc_attr()` — but only when the supplied place value is not already present as a key in the `wprev_google_crawls` stored option. No public exploit identified at time of analysis; successful exploitation requires tricking an authenticated WordPress administrator into clicking a specially crafted link.

WordPress XSS PHP +2
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Kadence Blocks WordPress plugin (all versions through 3.7.7) allows authenticated contributors to create arbitrary Media Library attachments by fetching remote images via internal WordPress functions, bypassing the upload_files capability boundary. The flaw resides in class-kadence-blocks-prebuilt-library.php at multiple call sites where wp_upload_bits() and wp_insert_attachment() are invoked without verifying the requesting user's authorization. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Kadence Blocks Page Builder Toolkit For Gutenberg Editor
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection in the Taskbuilder Project Management & Task Management WordPress plugin (versions up to and including 5.0.8) allows any authenticated WordPress user with Subscriber-level access or higher to exfiltrate arbitrary data from the site's database. The root cause is dual: insufficient escaping of the 'task_search' parameter in the wppm_get_task_list AJAX handler combined with a complete absence of capability checks and nonce verification on that handler, meaning the attack surface is broader than typical subscriber-exploitable SQLi. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; however, the low privilege bar and straightforward injection vector make this a credible threat against any WordPress site running the affected plugin.

WordPress SQLi Taskbuilder Project Management Task Management Tool With Kanban Board
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Tutor LMS (WordPress plugin by Themeum) versions through 3.9.13 allows authenticated attackers holding author-level or higher WordPress roles to inject persistent malicious scripts via the Lesson Attachment Title field. The injected payload is stored in the WordPress database and executes in the browser of any user who subsequently accesses a course page rendering the attachment - achieving a scope change from the plugin's context into the victim's browsing session. No public exploit code or CISA KEV listing has been identified at time of analysis, but the Wordfence disclosure includes direct source-code references to the vulnerable rendering path, lowering the barrier to exploitation.

WordPress XSS Tutor Lms Elearning And Online Course Solution
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

{chart}/{type}/ REST route. The plugin route skips the capability checks that WordPress's core REST endpoint for this non-public custom post type enforces (which correctly returns HTTP 401), exposing otherwise-restricted data. Rated CVSS 7.5 (confidentiality-only); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress Visualizer Tables Charts Manager With Built In Ai Generator
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Kali Forms WordPress plugin (versions up to and including 2.4.13) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'meta[kaliforms_field_components]' parameter. Any WordPress user who subsequently visits a page containing the injected form will execute the attacker's script in their browser, making session hijacking, credential theft, and admin account takeover realistic outcomes. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low privilege bar (contributor) makes this a realistic risk on multi-author WordPress sites.

WordPress XSS Kali Forms Contact Form Drag And Drop Builder
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Kadence Blocks WordPress plugin versions up to and including 3.7.7 allows authenticated Contributor-level users to read or delete optimizer analysis records belonging to posts they do not own, by exploiting a parameter mismatch in four REST API endpoints of the Optimize_Rest_Controller. The authorization check binds to a user-supplied post_id while the storage layer retrieves records by sha256 of a separately supplied, attacker-controlled post_path, with no enforcement that these two parameters refer to the same post. No public exploit code or CISA KEV listing exists at time of analysis; however, the low barrier to exploitation - any registered Contributor can leverage this - makes it relevant for multi-author WordPress sites. EPSS data was not provided in the input.

Authentication Bypass WordPress Kadence Blocks Page Builder Toolkit For Gutenberg Editor
NVD
EPSS 0% CVSS 7.2
HIGH POC This Week

Stored cross-site scripting in the WPBot AI ChatBot for WordPress (all versions through 8.4.9) lets unauthenticated attackers persist arbitrary JavaScript through the 'conversation' parameter, which later executes when the injected page is viewed - most notably by an administrator opening the chat-session reports in wp-admin. Because the AJAX nonce that guards the save endpoint is publicly emitted on every frontend page via wp_localize_script, any anonymous visitor can obtain it, so there is effectively no barrier to injection. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; risk stems from ease of exploitation rather than confirmed in-the-wild abuse.

WordPress XSS Wpbot Ai Chatbot For Live Support Lead Generation Ai Services
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in GiveWP versions up to and including 4.16.0 allows authenticated attackers with author-level WordPress access to inject persistent JavaScript payloads via the 'block_id' attribute of the 'givewp_campaign_comments' shortcode. The flaw originates in two code paths - CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render() - where the blockId value is interpolated directly into a single-quoted HTML attribute without WordPress's esc_attr() sanitization function. Any visitor loading an injected page will have the malicious script execute in their browser context. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

WordPress XSS Givewp Donation Plugin And Fundraising Platform
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Arbitrary group deletion in the JoomSport WordPress plugin (versions ≤5.7.8) is achievable by any authenticated subscriber-level user due to a missing capability check in the joomsport_season_groupdel() AJAX handler. The handler validates a WordPress nonce - preventing CSRF - but never calls current_user_can() or equivalent, allowing any logged-in user to supply attacker-controlled group IDs to an unguarded DELETE query. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV; real-world risk is bounded by the requirement for a valid WordPress account and the limited scope of impact (group record deletion only).

Authentication Bypass WordPress Joomsport For Sports
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Webmention WordPress plugin (versions up to and including 5.8.0) lets unauthenticated attackers persist malicious script through the public webmention REST endpoint, which a moderator or administrator then triggers simply by opening the affected comment's edit screen. Attacker-controlled MF2 'avatar' and 'url' author properties are stored and later echoed unescaped into HTML 'value' attributes, yielding script execution in a privileged admin session. No public exploit identified at time of analysis, and no EPSS or CISA KEV signal is present in the provided data.

WordPress XSS Webmention
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Ajax Load More - Filters WordPress plugin (all versions through 3.4.1) lets unauthenticated attackers persist arbitrary JavaScript via the 'taxonomy_include_children' parameter, which then executes in the browser of any user who loads an affected page. Wordfence rates it CVSS 7.2 with a changed scope, reflecting that injected script runs in the context of other site visitors and administrators. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

WordPress XSS Ajax Load More Filters
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated SQL injection in the EventON WordPress Virtual Event Calendar plugin (versions through 5.0.11) lets remote attackers inject arbitrary SQL through the 'search' parameter, enabling extraction of database contents such as user credentials and secrets. Exploitation is gated by the non-default 'Enable additional search queries' setting being enabled and the presence of at least one published event. Reported by Wordfence with a CVSS of 9.8; no public exploit identified at time of analysis.

WordPress SQLi Eventon Pro Wordpress Virtual Event Calendar Plugin
NVD VulDB
EPSS 0% CVSS 8.0
HIGH This Week

Arbitrary file deletion in the Export User Data plugin for WordPress (versions up to and including 2.2.6) allows an authenticated subscriber-level attacker to delete any file on the server, including wp-config.php, which can escalate to remote code execution. The flaw stems from unsafe deserialization of a PHP object embedded in a user's display name that is processed when an administrator exports user data. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation is gated by required administrator interaction.

WordPress Deserialization RCE +2
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM POC PATCH This Month

Broken object-level authorization in the Fluent Booking WordPress plugin (all versions before 2.1.2) allows any user holding the Calendar Manager role to export attendee PII - including names, email addresses, phone numbers, physical addresses, and payment information - from calendar groups they do not own. The flaw resides in the plugin's attendee export endpoint, which accepts a caller-supplied group_id without verifying the requesting user's ownership of that group. A publicly available proof-of-concept exploit exists per WPScan reporting; however, this vulnerability is not listed in the CISA KEV catalog, indicating no confirmed broad exploitation. The CVSS score of 4.9 (Medium) reflects the high-privilege prerequisite, though the sensitivity of the exposed data - including payment details - elevates real-world business impact beyond what the numeric score alone suggests.

WordPress Information Disclosure Fluent Booking
NVD WPScan VulDB
EPSS 0% CVSS 8.6
HIGH POC This Week

Unauthenticated SQL injection in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets remote attackers inject arbitrary SQL by abusing user-supplied array keys that are passed into a query without sanitization. Any unauthenticated visitor can extract sensitive database contents such as WordPress user records and password hashes. Publicly available exploit code exists, though EPSS rates exploitation probability low (0.18%, 7th percentile) and it is not on CISA KEV.

WordPress SQLi Wp Support Plus Responsive Ticket System
NVD WPScan VulDB
EPSS 0% CVSS 8.8
HIGH POC This Week

Stored cross-site scripting in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets unauthenticated attackers upload files containing malicious JavaScript - such as HTML or SVG payloads - to a publicly accessible location, where the script executes in the browsers of site users and administrators who view it. The flaw stems from missing validation of uploaded file types/content. Publicly available exploit code exists (reported by WPScan), though it is not listed in CISA KEV and no EPSS score was provided.

WordPress XSS Wp Support Plus Responsive Ticket System
NVD WPScan VulDB
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Stored cross-site scripting in the Kali Forms WordPress plugin (before 2.4.13) allows Contributor-level users to inject arbitrary JavaScript into form field captions, which execute in an administrator's browser session when the admin views the form-entries screen. A compounding missing capability check in the plugin's post-duplication action enables the same low-privilege attacker to publish the malicious form without administrator approval, removing the dependency on an admin independently discovering the unpublished form. A publicly available exploit (via WPScan) exists, and the plugin vendor has released a patch in version 2.4.13. No CISA KEV listing is present, indicating no confirmed mass exploitation at time of analysis.

WordPress Information Disclosure Kali Forms Contact Form Drag And Drop Builder
NVD WPScan VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Account takeover in the ProfileGrid - User Profiles, Groups and Communities WordPress plugin (all versions through 5.9.9.5) lets unauthenticated remote attackers hijack the site administrator account. The plugin fails to validate a `user_login` value on registration forms lacking that parameter and mishandles the resulting error messages, allowing an attacker to overwrite the email address of the user with ID=1 (typically the admin) and then trigger a password reset to seize full control. Reported by Wordfence with a 9.8 CVSS; no public exploit identified at time of analysis.

Authentication Bypass WordPress Privilege Escalation +1
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM This Month

Arbitrary file write via directory traversal in the PixMagix WordPress Image Editor plugin (all versions through 1.7.2) allows any authenticated Author-level WordPress user to write attacker-controlled content to arbitrary filesystem paths accessible by the web server process. The vulnerability stems from unsanitized use of the `layers[].id` parameter inside the `move_image_on_server` function, which concatenates user input directly into a PHP `copy()` call without path validation. Because the `save_template` REST endpoint requires only the `create_projects` permission - automatically granted to Author-level users on plugin activation - any contributor-tier account can exploit this to plant PHP webshells and escalate to remote code execution. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.

WordPress Path Traversal Pixmagix Wordpress Image Editor
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated sidebar manipulation in the Premium Addons for KingComposer WordPress plugin (versions up to and including 1.1.1) allows any remote attacker to create arbitrary custom widget areas or permanently delete existing ones without any credentials. The root cause is that the AJAX handlers add_custom_sidebar() and remove_custom_sidebar() are registered under wp_ajax_nopriv_* hooks with no authorization or capability checks, granting public HTTP access to options-table writes via update_option(). Deletion of sidebars silently breaks widget rendering site-wide, and no public exploit has been identified at time of analysis; no CISA KEV listing is present.

Authentication Bypass WordPress Premium Addons For Kingcomposer
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Editorial Rating - Product Review & Rating System WordPress plugin (versions ≤ 4.0.5) enables authenticated administrators to inject persistent JavaScript payloads via the 'Link URL' field, which execute in any site visitor's browser upon loading an affected review page. The attack exploits a WordPress-specific sanitization bypass: because the payload is stored in post meta (_wpas_er_options via update_post_meta) rather than post_content or post_excerpt, WordPress's unfiltered_html capability exemption does not apply, meaning the restriction affects all administrators regardless of their unfiltered_html status. No public exploit has been identified at time of analysis and no active exploitation is confirmed; real-world risk is substantially constrained by the PR:H (administrator) prerequisite.

WordPress XSS Editorial Rating Product Review Rating System
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery in Plugin for Google Analytics by IO Technologies (WordPress) versions up to and including 1.1 allows unauthenticated remote attackers to overwrite the site's Google Analytics tracking ID by tricking a logged-in administrator into clicking a crafted link. The flaw stems from absent nonce validation on the ga.php settings handler, meaning forged POST requests bypass WordPress's standard CSRF protections entirely. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 4.3 reflects the required administrator interaction and limited integrity-only impact.

WordPress CSRF PHP +2
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Persistent script injection in the Team Members - Multi Language Supported Team Plugin for WordPress (all versions through 8.7) enables authenticated administrators to embed malicious JavaScript into site pages via insufficient sanitization and escaping in admin settings fields, with injected payloads executing silently for every subsequent page visitor. The vulnerability is constrained to two non-default deployment scenarios: WordPress multisite network installations and single-site installations where the unfiltered_html capability has been explicitly revoked from administrators - standard single-site installs are unaffected. No active exploitation has been confirmed (not in CISA KEV) and no public proof-of-concept exists, placing real-world risk well below what the scope-changed CVSS vector might initially suggest.

WordPress XSS Team Members Multi Language Supported Team Plugin
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated IDOR in Colissimo Officiel : Méthodes de livraison pour WooCommerce (versions ≤ 2.9.0) exposes shipping-related backend objects to manipulation by remote, unauthenticated attackers. Missing server-side authorization on object lookups allows adversaries to reference records belonging to other users, producing low integrity and availability impacts on WooCommerce shipping data with no confidentiality breach. No public exploit code or active exploitation has been identified at time of analysis, and no patched version number was independently confirmed in the available intelligence.

Authentication Bypass WordPress Colissimo Officiel
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated broken access control in the Japanized For WooCommerce WordPress plugin (versions <= 2.9.12) allows remote unauthenticated attackers to bypass authorization checks and perform restricted operations, resulting in limited integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or user interaction is required, lowering the exploitation barrier significantly for any exposed WordPress site running this plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low complexity and zero-privilege requirement make this accessible to unsophisticated attackers.

Authentication Bypass WordPress Japanized For Woocommerce
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper authorization in the Wallet System for WooCommerce WordPress plugin (versions 2.7.6 and earlier) lets low-privileged authenticated users — subscriber-level accounts — perform wallet actions reserved for higher roles, enabling manipulation of stored wallet balances and transactions. The flaw, reported by Patchstack and tracked as CWE-862 (Missing Authorization), carries a 7.1 (High) CVSS score driven by high integrity impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass WordPress Wallet System For Woocommerce
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored Cross-Site Scripting in WooCommerce Designer Pro (WordPress plugin) versions 1.9.34 and earlier allows authenticated subscribers to inject malicious scripts that execute in the browsers of other users, including administrators. The scope change (S:C in CVSS) indicates injected payloads can cross privilege boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the subscriber-level entry point lowers the bar for exploitation on any site permitting account registration.

WordPress XSS Woocommerce Designer Pro
NVD
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts.

WordPress CSRF F4 Post Tree
NVD WPScan VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input (e.g. a transient name created by another APCu Manager WordPress plugin before 4.5.0 from an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page.

WordPress XSS Apcu Manager
NVD WPScan VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Authenticated arbitrary file deletion in the Frontend File Manager Plugin (nmedia-user-file-uploader) for WordPress versions through 23.6 lets Subscriber-level users delete any file on the server, including wp-config.php, which can cascade into full site takeover. The flaw stems from a case-sensitivity gap in input sanitization within the wpfm_file_meta_update AJAX handler that allows attacker-controlled paths to reach unlink() unchecked. Reported by Wordfence with a CVSS of 8.1; no public exploit identified at time of analysis and the issue is not on CISA KEV.

WordPress Information Disclosure PHP
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Gutenverse WordPress Blocks, Page Builder & Site Editor plugin (all versions through 3.8.0) enables authenticated editor-level users to persist arbitrary JavaScript into pages served to any site visitor. The vulnerability is constrained to WordPress multi-site installations or single-site deployments where unfiltered_html has been explicitly disabled. No public exploit has been identified at time of analysis, and a upstream fix commit (changeset 3578328) has been published to the WordPress plugin repository.

WordPress XSS Gutenverse Wordpress Blocks Page Builder Site Editor
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthorized data modification in the Frisbii Pay WordPress plugin (versions up to and including 1.8.9) allows authenticated attackers at Subscriber level or above to overwrite WooCommerce payment tokens, postmeta, and order meta records via unprotected AJAX endpoints. The root cause is CWE-862 (Missing Authorization) - the plugin's `upload_csv` and `process_batch` functions in the `MigrationMobilepayToVipps` class perform no WordPress capability checks before processing caller-supplied CSV data. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low privilege barrier (Subscriber) makes it meaningful in multi-tenant or open-registration WordPress environments.

Authentication Bypass WordPress Frisbii Pay
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Payment record manipulation in the WP Full Stripe Free WordPress plugin (versions ≤ 8.4.3) allows unauthenticated remote attackers to overwrite payment status in the site database. The vulnerability stems from the wpfs_update_failed_payment_status AJAX handler being registered under both wp_ajax_ and wp_ajax_nopriv_ hooks with zero authorization controls - no capability check, no nonce, no session validation - enabling any caller to invoke it. An attacker who has legitimately initiated a checkout on the target site (and thereby obtained a Stripe Payment Intent ID from the browser-visible Stripe.js flow) can send a crafted POST request to mark a previously successful payment as failed, potentially blocking order fulfillment, triggering disputes, or corrupting financial records. No public exploit code has been identified at the time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass WordPress Stripe Payment Forms By Wp Full Pay Accept Credit Card Payments Donations Subscriptions
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Surbma | Infusionsoft Shortcode WordPress plugin (versions ≤ 2.0.1) allows authenticated contributors to inject persistent malicious scripts that execute in any visitor's browser. The flaw originates in the surbma_infusionsoft_shortcode_shortcode() function, where the 'account' and 'id' shortcode attributes are concatenated without sanitization directly into a <script> tag's src attribute - a particularly dangerous injection point because it bypasses many output-escaping checks that target HTML attribute or element contexts. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.

WordPress XSS Surbma Infusionsoft Shortcode
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Page Builder by SiteOrigin WordPress plugin (all versions through 2.34.3) allows authenticated contributors to persist arbitrary JavaScript into post meta and execute it in any visitor's browser. The vulnerability bypasses WordPress's native content-filtering mechanisms because panels_data is stored as raw post meta rather than post content, placing it outside the scope of the unfiltered_html capability carve-out and the wp_kses fallback that would otherwise sanitize WP_Widget_Custom_HTML widget content. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor level) makes this a realistic threat on any multi-author or open-registration WordPress installation.

WordPress XSS Page Builder By Siteorigin
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized plugin activation in the Spexo WordPress theme (all versions through 2.0.11) is possible due to a missing capability check on the theme's activate_plugin function, exposing sites to integrity compromise by low-privileged authenticated users. Attackers holding Subscriber-level accounts or higher can trigger plugin activation outside of WordPress's native authorization controls, bypassing the intended administrator-only restriction. No public exploit code or active exploitation has been identified at time of analysis, and no EPSS data was provided.

Authentication Bypass WordPress Spexo
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Masteriyo LMS WordPress plugin (all versions through 2.2.1) allows authenticated users with student-level access to overwrite the post content of course announcements created by instructors or administrators. The flaw is rooted in missing authorization checks (CWE-862) inside the CourseAnnouncementController addon, meaning any enrolled student can tamper with official communications - exam instructions, policy notices, deadlines - without being detected by the LMS. No public exploit code or active exploitation has been identified at time of analysis; CVSS rates this 4.3 (Medium) reflecting limited integrity-only impact with no confidentiality or availability consequence.

Authentication Bypass WordPress Masteriyo Lms Lms Course Builder Quizzes Certificates
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Quiz and Survey Master (QSM) WordPress plugin (all versions through 11.1.4) allows authenticated contributors to create, modify, and delete quiz output templates in the mlw_quiz_output_templates database table without proper capability checks. Because template content is stored without sanitization, this grants contributor-level users the practical ability to inject arbitrary script tags into templates viewable by higher-privileged users such as administrators. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the low privilege requirement makes this accessible to any registered contributor on affected WordPress installations.

Authentication Bypass WordPress Quiz And Survey Master Qsm Easy Quiz And Survey Maker
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized taxonomy manipulation in the Product Specifications for WooCommerce WordPress plugin (versions up to and including 0.8.9) exposes AJAX endpoints that any authenticated subscriber can invoke without authorization checks or CSRF protection, enabling arbitrary creation, modification, and deletion of product specification groups and attributes. The affected AJAX actions 'dwps_modify_groups' and 'dwps_modify_attributes' - bound to the __invoke() methods of AttributeGroupController and AttributeController - operate on 'spec-group' and attribute taxonomy terms, meaning successful exploitation directly corrupts WooCommerce store business data and breaks frontend product display. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

Authentication Bypass WordPress Product Specifications For Woocommerce
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Dokan WooCommerce Multivendor Marketplace plugin for WordPress (all versions through 5.0.4) allows any authenticated vendor-level user to permanently inject arbitrary JavaScript into product SKU fields, which then executes in the browsers of all site visitors - including unauthenticated users - via the store search widget's AJAX response path. The scope change (S:C in CVSS) is critical: the attacker plants the payload once as a vendor, but impact is borne by an unbounded population of end users who trigger the search widget. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; however, the attack surface is wide on marketplaces with open vendor registration.

WordPress XSS Dokan
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Authentication bypass in the RegistrationMagic WordPress plugin (all versions through 6.0.8.6) permits an unauthenticated attacker with a prior legitimate payment transaction on the target site to obtain real WordPress session cookies for any user account, including administrators. The flaw exploits a fatally inverted processing order in the PayPal IPN callback handler: attacker-controlled POST data including the target user_id is written to the payment log database before PayPal IPN validation is performed, and the database poisoning persists even after validation subsequently rejects the forged notification. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the account-takeover impact makes this a critical priority for any site running the plugin with active PayPal payment integration.

WordPress Authentication Bypass Registrationmagic Custom Registration Forms User Registration Payment And User Login
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace plugin (all versions through 5.0.4) enables horizontal privilege escalation across vendor accounts via the REST API 'id' parameter. Authenticated attackers holding any vendor-level or subscriber-level account can retrieve full product records belonging to competing vendors, including unpublished draft and pending-review listings that expose product names, prices, SKUs, and descriptions. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Authentication Bypass WordPress Dokan
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

WordPress XSS
NVD WPScan VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the MaxButtons - Create buttons WordPress plugin (versions up to and including 9.8.5) allows unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'view' parameter, executing in the victim's browser context when a crafted URL is clicked. The flaw is traced to insufficient input sanitization in listController.php and maxbuttons-list.php, as confirmed by Wordfence and source-level references in the WordPress plugin repository. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low attack complexity and zero-privilege requirement make social-engineering-based exploitation straightforward.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated form submission data exfiltration in NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) exposes sensitive PII and payment details to any remote attacker. Missing authorization checks on report download endpoints allow sequential enumeration of report IDs without any credentials, enabling mass harvesting of names, email addresses, phone numbers, postal addresses, payment details, and file paths from every saved form report on the site. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the low attack complexity and zero authentication requirement make opportunistic exploitation straightforward.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Broken access control (Insecure Direct Object Reference) in the Paid Member Subscriptions WordPress plugin before 4.16.17 lets any authenticated low-privileged user (Subscriber or above) cancel arbitrary other users' active subscriptions by manipulating the subscription identifier in a subscription-action request. The plugin fails to verify that the requesting account owns the targeted subscription. No public exploit identified at time of analysis, EPSS is low at 0.14% (3rd percentile), and the issue is not in CISA KEV, but the attack is trivial to perform once any account exists on the site.

WordPress Information Disclosure
NVD WPScan VulDB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Account takeover in the Invoice Generator (Pravel) plugin for WordPress through version 1.0.0 lets unauthenticated attackers hijack any account, including administrators. The pravel_invoice_edit_account() AJAX handler is registered for unauthenticated users and calls wp_update_user() with attacker-supplied user_id and user_email without any capability check, nonce, or ownership verification, so an attacker can overwrite an admin's email and then drive the password-reset flow to seize the account. Rated CVSS 9.8 and reported by Wordfence; no public exploit identified at time of analysis and it is not in CISA KEV.

Privilege Escalation WordPress Invoice Generator
NVD VulDB GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the HD Quiz WordPress plugin versions 2.2.0 and 2.2.1 enables unauthenticated attackers to manipulate quiz content and plugin settings by tricking a logged-in administrator into clicking a crafted link. The flaw originates in the `hdq_validate_nonce` function (`includes/functions.php:39`), which fails to properly validate WordPress nonces across at least six distinct AJAX action handlers in `includes/actions-ajax.php`. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though Wordfence has published a detailed advisory with source code references for both affected versions.

WordPress CSRF Hd Quiz
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored cross-site scripting in Ivory Search - WordPress Search Plugin (all versions through 5.5.15) allows authenticated WordPress administrators to implant persistent JavaScript payloads via the `menu_title` and `menu_magnifier_color` settings fields, which execute in the browsers of any site visitor loading a page that renders the affected search widget. The root cause is insufficient input sanitization and output escaping in both the admin settings handler (class-is-settings-fields.php:249) and public-facing output routines (class-is-public.php:222, 263, 1199), confirmed via plugin source references on WordPress Trac. No public exploit code has been identified at time of analysis, CISA KEV does not list this CVE, and the CVSS score of 4.4 reflects the high privilege prerequisite rather than the cross-site impact scope.

WordPress XSS Ivory Search Wordpress Search Plugin
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection in the Groundhogg WordPress CRM plugin (all versions through 4.5.5) allows authenticated attackers holding Sales Representative-level access or above to extract arbitrary data from the underlying WordPress database via the `query[select]` REST API parameter. The vulnerability is exploitable through a deliberate sanitization bypass: submitting an invalid filter type in `query[filters]` triggers a FilterException that silently redirects execution from the protected `Contact_Query` path to the unprotected `Legacy_Contact_Query` path. No CISA KEV listing or confirmed public exploit code exists at time of analysis, though Wordfence's advisory directly references vulnerable source lines at plugin version 4.5.5, materially lowering the barrier to independent PoC development.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the CodePeople Post Map for Google Maps WordPress plugin (versions through 1.2.6) permits authenticated Contributor-level users to persist malicious JavaScript payloads via the 'cpm_point' post meta field. The CVSS S:C (Scope Changed) flag confirms the injected scripts execute in victim browser sessions beyond the plugin's own context, enabling session hijacking, credential theft, or unauthorized admin actions against any user who visits an injected page. No confirmed active exploitation appears in CISA KEV, and no public exploit code has been identified at time of analysis.

WordPress XSS Google +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin exposes the underlying WordPress database to authenticated attackers holding marketer-level access or higher. The 'search' parameter is insufficiently escaped across at least five distinct code paths - spanning db/db.php, db/steps.php, and api/v4/base-object-api.php - allowing appended SQL payloads to exfiltrate sensitive data including contact records, campaign data, and potentially WordPress user credentials. No public exploit code or CISA KEV listing has been identified at the time of analysis, but the vulnerability is straightforward to exploit with valid credentials given the low complexity rating.

WordPress SQLi Groundhogg Crm Newsletters And Marketing Automation
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Sensitive data exposure in the Bopo - WooCommerce Product Bundle Builder plugin for WordPress (versions ≤ 1.1.6) allows low-privileged authenticated users to access information that should be restricted to higher-trust roles. The flaw is classified under CWE-497, indicating the plugin exposes sensitive system or application data to an unauthorized control sphere - likely via an improperly protected REST API endpoint or AJAX action lacking appropriate capability checks. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress Information Disclosure
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the Abandoned Cart Lite for WooCommerce WordPress plugin (versions 6.8.0 and below) enables unauthenticated remote attackers to perform unauthorized state-changing actions by luring an authenticated site user into visiting a malicious page. The CVSS score of 4.3 (Medium) reflects a limited integrity impact with no confidentiality or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

WordPress CSRF
NVD VulDB
Prev Page 5 of 193 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy