Skip to main content

WordPress

17379 CVEs vendor

Monthly

CVE-2022-47150 MEDIUM This Month

Cross-Site request forgery (CSRF) vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery.0.10. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2022-44630 MEDIUM This Month

Cross-Site request forgery (CSRF) vulnerability in YITH YITH WooCommerce Product Slider Carousel allows Cross Site Request Forgery.16.0. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF WordPress
NVD VulDB
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-10795 HIGH POC This Week

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticated attackers to forge RPC commands as the connected administrator by bypassing signature verification in the UpdraftPlus_Remote_Communications_V2::wp_loaded handler. A flaw in how unchecked decryption return values are handled collapses the encryption key to an all-zero value, enabling arbitrary plugin upload and activation. No public exploit identified at time of analysis, but the plugin's massive WordPress install base and trivial post-bypass impact make this a high-priority patch.

Jwt Attack Authentication Bypass WordPress RCE
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-2827 MEDIUM This Month

Stored Cross-Site Scripting in the Open User Map PRO WordPress plugin (versions ≤ 1.4.31) via the 'oum_location_notification' parameter enables unauthenticated attackers to persistently inject arbitrary JavaScript into WordPress pages. The injected payload executes in any visitor's browser upon accessing the affected page, with scope extending beyond the originating application context (S:C). No public exploit code or CISA KEV listing has been identified at time of analysis, but the unauthenticated injection surface lowers the barrier for mass exploitation against unpatched sites.

WordPress XSS
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-3018 HIGH POC This Week

Unauthenticated time-based SQL injection in the Newsletters plugin for WordPress (versions up to and including 4.13) allows remote attackers to extract sensitive database contents via the 'wpmlsubscriber_id' parameter. The flaw stems from insufficient input escaping and lack of prepared statements, and no public exploit identified at time of analysis. The CVSS 7.5 score reflects confidentiality-only impact with no required authentication or user interaction.

SQLi WordPress
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-6254 CRITICAL Act Now

Unauthenticated privilege escalation in the Doctreat Core WordPress plugin (versions ≤ 1.6.8) allows remote attackers to register accounts directly as administrators by abusing insufficient role validation in the doctreat_process_registration() function. With a CVSS of 9.8 and trivial exploitability (AV:N/AC:L/PR:N/UI:N), full site takeover is possible without credentials, though no public exploit has been identified at time of analysis and the CVE is not currently listed in CISA KEV.

Privilege Escalation WordPress
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-9019 MEDIUM This Month

Stored Cross-Site Scripting in the Easy Image Collage WordPress plugin (all versions through 1.13.6) allows authenticated attackers with author-level access to permanently inject arbitrary JavaScript into pages via the `grid[properties][borderColor]` and `grid[images][N][attachment_url]` parameters, which executes in victims' browsers upon page load. The critical aggravating factor is that payloads are persisted via WordPress's `update_post_meta()` API rather than through post content, which deliberately sidesteps the `unfiltered_html` capability check that normally prevents lower-privilege users from injecting raw HTML - meaning site administrators cannot block this attack path through standard WordPress role controls alone. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the low privilege requirement and well-documented bypass of WordPress hardening make this a credible threat on multi-author sites.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8853 MEDIUM This Month

Stored Cross-Site Scripting in the MW WP Form WordPress plugin (all versions through 5.1.3) allows authenticated editor-level attackers to inject persistent malicious scripts via the 'memo' parameter that execute in the browsers of any user who views the affected contact data page. The vulnerability is made possible by a specific bypass of WordPress Core sanitization: because memo values are stored via update_post_meta() rather than wp_insert_post(), the native wp_kses_post() and unfiltered_html capability checks are never invoked, permitting editors - who are normally prevented from injecting raw HTML - to break out of the textarea element using injected closing tags. No public exploit has been identified at time of analysis, and the CVSS 4.4 Medium score reflects the high privilege and high complexity prerequisites.

XSS WordPress
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-8613 MEDIUM This Month

Stored Cross-Site Scripting in the aThemes Addons for Elementor WordPress plugin (versions up to and including 1.1.8) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'title_tag' widget setting in the Posts Timeline and Posts Carousel widgets. The injected payload executes in the browsers of any user who subsequently visits the compromised page, enabling session hijacking, credential theft, or malicious redirects. No public exploit or CISA KEV listing has been identified at time of analysis, though the contributor-level authentication barrier is low in multi-author WordPress deployments.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-9067 CRITICAL POC PATCH Act Now

Unauthenticated arbitrary file upload in the Schema & Structured Data for WP & AMP WordPress plugin before version 1.60 allows remote attackers to upload any file type accepted by WordPress's media library through frontend AJAX handlers intended for images and videos only. The plugin fails to perform user capability checks and does not validate uploaded file content against the endpoint's declared media type. Publicly available exploit code exists via WPScan, increasing the urgency for immediate patching despite no confirmed in-the-wild exploitation.

File Upload WordPress
NVD WPScan
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-9060 LOW POC PATCH Monitor

Stored Cross-Site Scripting in Store Locator WordPress plugin before 1.6.6 allows administrator-level users to inject persistent malicious scripts into the plugin's admin settings page, with execution triggered when any privileged user visits the page. Critically, this bypass works even when WordPress's `unfiltered_html` capability is restricted - a control commonly enforced in multisite networks - meaning a subsite admin could target visiting super admins. A publicly available exploit exists via WPScan, though no active exploitation has been confirmed by CISA KEV. CVSS rates this 3.5 (Low), but multisite deployments face materially higher practical risk.

XSS WordPress
NVD WPScan
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-8071 HIGH POC PATCH This Week

Stored cross-site scripting in the Anti-Spam by CleanTalk Spam Protection WordPress plugin before 6.79 allows unauthenticated remote attackers to inject arbitrary JavaScript into approved comments via a custom shortcode in the email-encoding feature, with execution occurring when any visitor or administrator views the affected post. Publicly available exploit code exists per WPScan, increasing exposure for the plugin's large WordPress installation base, though it requires user interaction (UI:R) to trigger the payload. The high CVSS score of 8.8 reflects the potential for administrator account compromise leading to full site takeover.

XSS WordPress
NVD WPScan
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3326 HIGH POC PATCH This Week

Unauthenticated SQL injection in the XStore WordPress theme before 9.7.3 allows remote attackers to inject arbitrary SQL queries through an AJAX action that fails to sanitise and escape a user-supplied parameter. Publicly available exploit code exists per WPScan, and the changed scope (S:C) with high confidentiality impact indicates an attacker can extract sensitive data across security boundaries - including WordPress user records, password hashes, and configuration secrets - without any credentials or user interaction.

SQLi WordPress
NVD WPScan
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-8444 MEDIUM This Month

DOM-Based Stored Cross-Site Scripting in the Animation Addons for Elementor WordPress plugin (all versions up to and including 2.6.7) allows authenticated attackers holding Contributor-level access or higher to inject persistent malicious scripts through multiple unsanitized plugin parameters. The injected payload executes in the browsers of any user who subsequently loads an affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit identified at time of analysis and the plugin is not listed in the CISA KEV catalog, but the Changed scope (S:C) in the CVSS vector elevates real-world impact beyond the 6.4 score suggests for multi-author WordPress deployments.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2017-20251 CRITICAL POC PATCH Monitor

WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE PHP WordPress Code Injection
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2017-20247 HIGH POC This Week

WordPress Plugin PICA Photo Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2017-20246 HIGH POC Monitor

KittyCatfish 2.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to read database contents by exploiting an unescaped GET parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2017-20245 HIGH POC This Week

Wow Viral Signups 2.1 WordPress plugin contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by exploiting the unescaped 'idsignup' POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2017-20244 HIGH POC This Week

Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to read arbitrary database information by exploiting an unescaped POST parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2017-20243 HIGH POC This Week

WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2016-20065 HIGH POC Monitor

Product Catalog 8 1.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2016-20062 HIGH POC This Week

Simply Poll 1.4.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the 'pollid' POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress SQLi
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-4058 MEDIUM This Month

Unauthorized subscription cancellation in weDevs User Frontend WordPress plugin (all versions through 4.3.2) allows any authenticated subscriber to cancel any other user's subscription pack, including administrators. The flaw stems from a missing capability check on the user_subscription_cancel() function, meaning low-privileged users can invoke privileged actions. No public exploit code has been identified and this is not listed in CISA KEV, but the low attack complexity and broad attacker pool (any registered subscriber) make this a realistic insider or account-takeover amplification risk.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8365 HIGH This Week

Authenticated PHP Object Injection in the Blocksy WordPress theme (versions ≤ 2.1.35) allows contributor-level users to escalate to remote code execution by storing a malicious serialized object in post meta that is later deserialized during the V200 database migration. Wordfence-reported flaw chains weak input sanitization in blocksy_sanitize_post_meta_options() with an unconditional @unserialize() call in SearchReplacer::run_recursively(), triggering RaiiPattern::__destruct() to invoke arbitrary callables via call_user_func(). No public exploit identified at time of analysis, but the low-privilege requirement and high impact make this a meaningful priority for sites running upgraded Blocksy installations.

PHP Deserialization WordPress RCE
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-8677 MEDIUM This Month

Stored Cross-Site Scripting in Prime Elementor Addons for WordPress (all versions through 1.3.3) allows authenticated attackers with contributor-level access to persist malicious scripts in widget HTML Tag settings that execute in any visitor's browser on page load. The vulnerability is notable for a specific filter bypass: payloads crafted without HTML angle brackets (e.g., 'img src=x onerror=alert(document.domain)') pass unmodified through Elementor's wp_kses_post() sanitization at save time, meaning even users lacking the unfiltered_html capability can inject effective XSS. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

XSS WordPress Elementor
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8599 MEDIUM This Month

{id}-slug/) enforces a Content-Security-Policy header that blocks all inline scripts, meaning the attack surface is exclusively the WordPress admin dashboard preview context. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-7542 MEDIUM This Month

Server-side file exfiltration in the Slider Revolution WordPress plugin (≤7.0.10) allows any authenticated subscriber to copy arbitrary server files into the publicly accessible uploads directory. Three compounding design flaws enable this: a backend AJAX nonce is leaked to all authenticated users via the admin_footer hook, the image-creation action bypasses administrator-only access controls via an explicit allowlist entry, and the underlying file-copy function accepts local filesystem paths without restriction to HTTP/HTTPS URLs. No public exploit code or active exploitation has been identified at time of analysis, but the low privilege bar (subscriber-level account) and high confidentiality impact make this a meaningful risk for any WordPress site with open user registration.

Information Disclosure WordPress Slider Revolution
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-11616 HIGH This Week

Privilege escalation in the Events Calendar for GeoDirectory WordPress plugin (versions up to and including 2.3.28) allows authenticated Subscriber-level users to elevate to Administrator by abusing the ajax_ayi_action() AJAX handler, which writes attacker-controlled POST parameters directly into the wp_capabilities user meta key. The flaw stems from insufficient input filtering (strip_tags/esc_sql with no allow-list) on the type and postid fields before they reach update_user_meta(), enabling an attacker to set their own role to administrator. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation WordPress
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-8981 LOW PATCH Monitor

Stored cross-site scripting in the Custom Block Builder WordPress plugin (versions before 4.3.0) allows authenticated administrators to inject persistent JavaScript into block template code fields that executes in every visitor's browser on pages embedding the affected block. The vulnerability is specifically scoped to multisite WordPress installations or single-site deployments where DISALLOW_UNFILTERED_HTML is defined - environments that are supposed to restrict the unfiltered_html capability from lower-trust administrators. The root cause is inconsistent capability enforcement: certain code paths writing to block template fields bypass the unfiltered_html check that should gate raw HTML/JS input. No public exploit identified at time of analysis, and the CVSS score of 3.5 reflects the high-privilege prerequisite and limited confidentiality/integrity impact.

XSS WordPress
NVD WPScan VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-4986 MEDIUM PATCH This Month

WPForms WordPress plugin versions prior to 1.10.0.5 allow unauthenticated remote attackers to forge PayPal webhook payloads and manipulate the payment state of arbitrary transactions due to absent webhook authenticity verification. The endpoint blindly processes incoming PayPal webhook events without validating their origin or integrity, enabling attackers to mark pending or failed payments as completed. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) reflects low current exploitation activity, though the business impact of fraudulent payment confirmation can materially exceed what the CVSS integrity score suggests.

Authentication Bypass WordPress
NVD WPScan VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-8895 MEDIUM This Month

Stored Cross-Site Scripting in the kk Blog Card WordPress plugin (all versions ≤ 1.3) allows authenticated contributors to inject persistent JavaScript payloads via unsanitized 'href' and 'type' attributes of the [blog-card] shortcode. The flaw, rooted in direct attribute concatenation without sanitization or escaping in kk-blog-card-shortcode.php, executes injected scripts in the browser of any visitor loading an affected page - including administrators. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the changed scope (S:C) in the CVSS vector elevates potential impact beyond the plugin boundary.

PHP XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-11603 MEDIUM This Month

Reflected Cross-Site Scripting in the Product Filter Widget for Elementor WordPress plugin (versions up to and including 1.0.6) enables unauthenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session. The vulnerability stems from unsanitized output of the 'args[filterFormArray]' parameter in a publicly accessible AJAX endpoint registered via wp_ajax_nopriv_ with no nonce verification or capability check, meaning any unauthenticated request to admin-ajax.php can carry the payload. Exploitation is delivered via a CSRF-style auto-submitting form, requiring the attacker to social-engineer a victim into visiting an attacker-controlled page; no public exploit code or CISA KEV listing has been identified at time of analysis.

PHP XSS CSRF WordPress Elementor
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-8904 MEDIUM This Month

Cross-Site Request Forgery in FastPicker (versions up to and including 1.0.2), a WooCommerce order management plugin for WordPress, allows unauthenticated remote attackers to modify the plugin's administrative settings by tricking a logged-in site administrator into clicking a crafted link. Specifically, the `settingsPage` function in `Admin.php` lacks proper nonce validation, enabling forged POST requests that can toggle the plugin's webhook integration and redirect FastPicker and KDZ API endpoint URLs to attacker-controlled infrastructure. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-10553 MEDIUM This Month

Cross-Site Request Forgery in the jQuery Hover Footnotes WordPress plugin (all versions up to and including 1.4) enables unauthenticated remote attackers to chain CSRF into persistent stored Cross-Site Scripting affecting every visitor on the compromised site. The plugin's jqFootnotes_options_subpanel function lacks proper nonce validation, allowing a forged request to overwrite settings such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title with arbitrary HTML or JavaScript. Because these values are persisted via WordPress's update_option() without sanitization and rendered unescaped in frontend page output, a single successful social-engineering action against one administrator produces site-wide persistent XSS. No public exploit code is identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

CSRF XSS WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8910 MEDIUM This Month

Cross-Site Request Forgery combined with stored XSS in the WP Emoticon Rating WordPress plugin (all versions ≤ 1.0.1) allows unauthenticated remote attackers to persistently inject malicious scripts into site settings by tricking a logged-in administrator into clicking a crafted link. The CVSS Scope:Changed rating reflects that the injected payload executes beyond the admin context, potentially affecting all site visitors. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

CSRF WordPress
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-10738 MEDIUM This Month

{{...}}). The attack exploits an attribute-breakout technique - a double-quote followed by an event handler - that contains no angle brackets and therefore evades WordPress core's wp_kses_post() filter, which only strips disallowed HTML tags rather than sanitizing attribute injection contexts. The changed scope (S:C in the CVSS vector) means injected scripts execute in any victim's browser upon visiting a page containing the malicious footnote, enabling session theft, credential harvesting, or defacement at scale across site visitors. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8882 MEDIUM This Month

Stored Cross-Site Scripting in the WP ApplicantStack Jobs Display WordPress plugin (all versions through 1.1.1) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via unsanitized shortcode attributes. Because the CVSS vector reflects Changed Scope (S:C), successful injection impacts the browsers of any user - including administrators - who subsequently load the affected page, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit has been identified at time of analysis, and the vulnerability has not been added to CISA KEV.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8977 MEDIUM This Month

Stored Cross-Site Scripting in the WP GDPR Cookie Consent WordPress plugin (versions up to and including 1.0.0, by techjewel) allows authenticated attackers with subscriber-level access to inject persistent malicious scripts into pages served to all site visitors. The vulnerability chains three distinct weaknesses in the handleAjaxCalls() function: absent capability verification, missing nonce validation, and unsanitized gdprConfig values that are echoed verbatim by generateCSS() into a <style> block on wp_head. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (subscriber-level) and changed scope (S:C) make this a meaningful risk for multi-user WordPress sites.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-7662 MEDIUM This Month

Stored Cross-Site Scripting in the ePaperFlip Publisher WordPress plugin (all versions up to and including 1) permits authenticated Contributors to inject arbitrary JavaScript via the 'publicationid' attribute of the epaperflip_embed shortcode, which is written unsanitized directly into inline JavaScript on rendered pages. The CVSS Changed scope (S:C) reflects that the injected payload executes in the browser context of any visitor who loads the compromised page, crossing trust boundaries beyond the plugin itself. No public exploit code has been identified at time of analysis and this vulnerability is not currently listed in the CISA KEV catalog.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8902 MEDIUM This Month

Cross-Site Request Forgery in the AJAX Report Comments WordPress plugin (≤2.0.4) allows unauthenticated attackers to modify plugin settings by tricking a logged-in administrator into triggering a forged request. The rc_options_page function in report-comments.php performs missing or incorrect nonce validation, enabling an attacker to overwrite notification email addresses, comment thresholds, link text, and message bodies without any privileges of their own. No public exploit code or CISA KEV listing has been identified at time of analysis, but the notification email hijack vector makes this a meaningful integrity risk on affected sites.

CSRF WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-9185 HIGH This Week

Unauthenticated tenant data disclosure in the 6Storage Rentals WordPress plugin (versions up to and including 2.22.0) allows remote attackers to read and modify arbitrary tenant profile records - including names, emails, phone numbers, physical addresses, and SSNs - by enumerating numeric userId values. The flaw stems from AJAX handlers exposed via wp_ajax_nopriv_* hooks without ownership checks or nonce validation. No public exploit identified at time of analysis, but the bug is trivially scriptable and reported by Wordfence.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-8909 MEDIUM This Month

Cross-Site Request Forgery combined with reflected XSS in the WpMobi WordPress plugin (all versions through 0.0.3) allows unauthenticated attackers to execute arbitrary JavaScript in an administrator's browser session by forging a settings-save request. The handleSaveGeneralSettings function performs no nonce validation, permitting any remote party to submit crafted plugin settings on behalf of an authenticated admin. A particularly notable aspect is that the injected script in the app_name parameter fires even when server-side validation rejects the value, because the view layer re-renders the form with the unsanitized in-memory value rather than a sanitized fallback - meaning the XSS trigger does not depend on successful data persistence. No public exploit code or CISA KEV listing has been identified at time of analysis.

CSRF WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8880 MEDIUM This Month

Stored Cross-Site Scripting in the RomanCart Ecommerce WordPress plugin (versions ≤2.0.8) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the 'blclass' attribute - and other attributes - of the romancart_button shortcode. The injected payload executes in any visitor's browser upon page load, enabling session hijacking, credential theft, or administrative account takeover. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and changed scope (S:C) elevate real-world concern for multi-author WordPress deployments.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8907 MEDIUM This Month

WP-Ultimate-Map plugin for WordPress (versions up to and including 1.1) is vulnerable to a chained CSRF-to-stored-XSS attack that allows unauthenticated network attackers to hijack plugin settings and inject persistent JavaScript into the WordPress admin panel. The missing nonce check on `process_init()` - hooked to `admin_init` - means any forged POST with a `save-setting` parameter will overwrite plugin options without any authentication or state validation. The injected `zoom-level` value is then stored unsanitized and reflected verbatim into an HTML attribute and inline JavaScript block on the settings page, completing the XSS chain. No public exploit identified at time of analysis.

CSRF WordPress
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-10024 MEDIUM This Month

Stored Cross-Site Scripting in the TinyMCE Shortcode Addon WordPress plugin (all versions ≤ 1.0.0) allows authenticated attackers with contributor-level access or higher to inject persistent JavaScript via the unsanitized 'btnrel' shortcode attribute. The injected script is stored server-side and executes in the browser of every subsequent visitor to the affected page, including administrators - enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8499 MEDIUM This Month

Unauthenticated settings manipulation in Helpfulcrowd Product Reviews plugin for WordPress (versions up to and including 1.2.9) allows any remote attacker to overwrite arbitrary plugin configuration values in the WordPress database. The vulnerability stems from a PHP type juggling flaw in the token validation function combined with an openly accessible REST endpoint registered with `__return_true` as its permission callback. By submitting a JSON boolean `true` as the token value, an attacker bypasses the loose-comparison check (`!=`) in `helpfulcrowd_validate_token()` and gains full write access to the `helpfulcrowd_options` database option with no sanitization or allowlist enforcement. No public exploit or CISA KEV listing is identified at time of analysis.

PHP Memory Corruption WordPress RCE
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-9662 HIGH This Week

Local File Inclusion in the Recover Exit For WooCommerce WordPress plugin (versions up to and including 1.0.3) allows remote unauthenticated attackers to include arbitrary local PHP files via the unsanitized `tpf` POST parameter passed to `include()` in the `recover_exit()` function. Successful exploitation can disclose sensitive files such as `wp-config.php` and, when combined with file upload primitives or log poisoning, escalate to remote code execution. No public exploit identified at time of analysis, though the vulnerable sink is documented in the plugin source on plugins.trac.wordpress.org.

Information Disclosure WordPress Path Traversal PHP RCE +2
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-8940 MEDIUM This Month

Cross-Site Request Forgery in WP Meta Sort Posts WordPress plugin (all versions ≤ 0.9) allows unauthenticated remote attackers to modify plugin settings by tricking a logged-in administrator into clicking a crafted link, due to missing nonce validation in msp-options.php. The CVSS vector (PR:N, UI:R) confirms the attacker requires no authentication but must social-engineer an administrator, with impact limited to changing the msp_loop_file and msp_nav_location settings. No active exploitation confirmed - this CVE is not listed in CISA KEV, no public exploit code has been identified, and EPSS data was not provided in available intelligence.

CSRF WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8883 MEDIUM This Month

Stored Cross-Site Scripting in the Global Body Mass Index Calculator WordPress plugin (versions up to and including 1.2) allows authenticated contributors to persistently inject arbitrary JavaScript into any page rendering the 'gbmicalc' shortcode. The vulnerability arises from PHP's @extract() call on unsanitized shortcode attributes followed by unescaped output into both an HTML style attribute context and an HTML body context inside GBMI_Calc_Widget::widget(), enabling attribute-breakout payloads. No public exploit code has been identified at time of analysis and no CISA KEV listing exists, but the Wordfence-confirmed contributor-level requirement makes this a realistic risk for any multi-author WordPress installation.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-8841 MEDIUM This Month

Stored Cross-Site Scripting in the Extra Settings for RocketChat WordPress plugin (versions up to and including 0.1) allows authenticated attackers with contributor-level access to permanently inject arbitrary JavaScript via the 'title' attribute of the [rocketchat] shortcode. The injected script persists in the database and executes in the browser of any site visitor who loads an affected page, enabling session hijacking, credential theft, or further privilege escalation depending on victim role. No public exploit code identified at time of analysis, and this CVE does not appear on the CISA KEV catalog.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-7556 HIGH This Week

Stored cross-site scripting in the FV Flowplayer Video Player WordPress plugin (versions through 7.5.49.7212) allows remote attackers to inject persistent JavaScript via the comment text field, which executes in any visitor's browser when the affected page is loaded. The flaw stems from insufficient input sanitization and output escaping in the comment-parsing routine and is reachable only when the non-default 'Parse Vimeo and YouTube links' (parse_comments) option is enabled and an administrator approves the malicious comment. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS WordPress
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-5714 MEDIUM This Month

Stored Cross-Site Scripting in the Enable Media Replace WordPress plugin (all versions through 4.1.8) allows authenticated attackers with Author-level access or higher to inject persistent malicious scripts via the unsanitized 'location_dir' parameter. The injected payload executes in the browser of any user who accesses an affected page, with scope changed (S:C) indicating cross-boundary impact - most critically, a low-privileged Author can compromise higher-privileged sessions including administrators. No public exploit identified at time of analysis, and no CISA KEV listing, but the low attack complexity and broad WordPress install base elevate practical risk.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-10862 MEDIUM This Month

Stored Cross-Site Scripting in the Accordions plugin for WordPress (all versions through 2.3.23) enables authenticated attackers holding Custom-level roles or higher to permanently embed malicious JavaScript into Accordion body fields. The injected scripts execute in the browser of any user who subsequently visits an affected page, enabling session token theft, credential harvesting, or drive-by malware delivery within the WordPress site context. No public exploit has been identified at time of analysis, though an upstream fix commit is available in the plugin Trac repository.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3011 MEDIUM This Month

Stored Cross-Site Scripting in WPZOOM's Recipe Card Blocks Lite WordPress plugin (all versions through 3.4.13) allows authenticated attackers with Author-level access or higher to inject persistent malicious scripts into published posts and recipe print views. The vulnerability is a sanitization bypass: the `WPZOOM_Helpers::deserialize_block_attributes` method re-decodes unicode-escaped character sequences back into raw HTML after WordPress's sanitization pipeline has already run, permitting crafted payloads in the recipe block's 'summary' and 'notes' attributes to survive sanitization and execute in victims' browsers. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS Changed Scope (S:C) rating reflects cross-user impact, including potential administrator session hijacking.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2024-58349 CRITICAL POC Act Now

WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE WordPress
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2024-58348 CRITICAL POC Act Now

WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE WordPress PHP
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2023-54352 CRITICAL POC Act Now

WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP WordPress Authentication Bypass
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2023-54351 MEDIUM POC This Month

WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.1%
CVE-2023-54350 HIGH POC This Week

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP WordPress Authentication Bypass
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2022-50953 MEDIUM POC This Month

WordPress Plugin admin-word-count-column 2.2 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting null byte injection in the path. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP Path Traversal
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2021-47984 MEDIUM POC This Month

WordPress Plugin WP24 Domain Check 1.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XSS
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47983 MEDIUM POC This Month

WordPress Plugin Stripe Payments 2.0.39 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47982 MEDIUM POC This Month

WordPress Plugin WP-Paginate 2.1.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the preset parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-9829 MEDIUM This Month

Time-based SQL injection in the Photo Gallery by 10Web WordPress plugin (all versions through 1.8.41) enables authenticated contributors to exfiltrate arbitrary data from the WordPress database via a stored shortcode payload that is subsequently triggered without authentication. The attack exploits the 'compact_album_order_by' parameter passed through the 'shortcode_bwg' AJAX handler, where insufficient escaping and absent query preparation allow appended SQL clauses to survive into execution. Critically, the stored malicious shortcode can be activated by the unauthenticated 'bwg_frontend_data' AJAX handler, collapsing the effective authentication barrier after the initial store step. No public exploit code or CISA KEV listing has been identified at time of analysis.

SQLi WordPress
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-9851 HIGH This Week

Privilege escalation in the Booking Package plugin for WordPress (versions up to and including 1.7.16) allows authenticated attackers with Editor-level access or above to take over any account, including Administrator accounts, by abusing the 'updateUser' branch of the package_app_action AJAX endpoint. The handler validates only a nonce and passes a hard-coded administrator flag to Schedule::updateUser(), letting attackers supply arbitrary target user IDs to wp_update_user() and reset the email and password of any account. No public exploit identified at time of analysis, but the issue was disclosed by Wordfence and results in full site compromise once an Editor account is obtained.

Authentication Bypass Privilege Escalation WordPress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-9016 MEDIUM This Month

Log injection in the Debug Log Manager WordPress plugin (versions up to and including 2.5.0) allows unauthenticated remote attackers to write arbitrary forged entries into the site's debug log. The root cause is a broken authorization design: the `log_js_errors()` AJAX handler is registered for unauthenticated users via `wp_ajax_nopriv_log_js_errors`, and the only gate-a WordPress nonce-is publicly broadcast in every page's front-end HTML via `wp_localize_script()` whenever JavaScript error logging is enabled, rendering it non-secret and thus non-protective. Exploitation enables log spoofing, masking of real malicious activity behind fabricated noise, and manipulation of administrator triage decisions. No public exploit identified at time of analysis and this CVE is not listed in CISA KEV.

Information Disclosure WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-9594 MEDIUM This Month

Stored Cross-Site Scripting in WP Maps (all versions through 4.9.4) allows authenticated attackers holding the wpgmp_manage_location capability - granted to administrators by default but delegable to lower-privileged roles - to inject persistent malicious scripts via the 'location_messages' parameter. The CVSS scope change (S:C) confirms the injected payload executes across victim browser sessions on any page rendering the affected shortcode, enabling session hijacking or unauthorized actions on behalf of site visitors. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV; however, the delegable capability expands the potential attacker pool beyond pure administrators.

XSS Google WordPress
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-8611 MEDIUM This Month

Insecure Direct Object Reference in the Klamra Paycal for Aspaclaria WordPress plugin (all versions through 1.1.4) allows authenticated attackers with subscriber-level access to download invoices belonging to other customers by enumerating sequential WordPress post IDs via the unvalidated 'invoice_id' parameter. Exposed data includes full name, email address, phone number, order total, line items, and customer notes - constituting a significant billing PII breach for any e-commerce site running this plugin. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV, but the low attack complexity and sequential enumeration method make mass harvesting of customer data straightforward for any authenticated user.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8839 MEDIUM POC This Month

{mapid}` endpoint - harvesting POI titles, addresses, geolocation coordinates, and body content - because the permission callback is hardcoded to `__return_true`. Separately, any authenticated user with at least Contributor-level WordPress access can issue write operations (update, delete, trash/restore, clone) against maps owned by other authors, because write endpoints gate only on the generic `edit_posts` capability and the model layer (`Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, `empty_trash()`) performs no ownership validation at any depth. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-7624 MEDIUM This Month

Authorization bypass in the Squirrly SEO WordPress plugin (all versions through 12.4.16) allows authenticated attackers with contributor-level access to invoke privileged Squirrly cloud API operations reserved for administrators, including revoking the site's Google Search Console and Google Analytics integrations via the `api/gsc/revoke` and `api/ga/revoke` endpoints. The flaw stems from the plugin's failure to verify the `sq_manage_settings` capability before processing these state-changing cloud API calls, meaning any contributor can silently destroy critical SEO and analytics data connections without administrator knowledge. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Google WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-8978 MEDIUM This Month

SQL Injection in OptinCraft (Drag & Drop Optins & Popup Builder for WordPress) versions up to and including 1.2.0 allows authenticated attackers with administrator-level access to extract sensitive data from the underlying WordPress database. The vulnerability exists in the 'order_by' parameter, which is passed without sufficient escaping or parameterized query preparation through the plugin's internal SQL compiler, enabling appending of arbitrary SQL to existing queries. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the high confidentiality impact and network-accessible attack vector make it a meaningful data-disclosure risk in multi-administrator WordPress environments.

SQLi WordPress
NVD VulDB
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-7792 MEDIUM This Month

Unauthenticated webhook forgery in WPForms (wpforms-lite ≤1.10.0.1) enables payment fraud by allowing any remote attacker who knows a valid PayPal subscription_id to manipulate subscription payment records - including forcing a cancelled or suspended subscription back to active status - without any credentials or user interaction. The PayPal Commerce webhook endpoint accepts and acts on arbitrary JSON POST payloads, performing no HMAC-SHA256 origin verification, and trusts attacker-supplied resource data once the event_type field passes a whitelist check. No public exploit has been identified and this vulnerability is not listed in CISA KEV at time of analysis, but the zero-complexity attack path makes independent exploitation straightforward for anyone possessing a valid subscription_id.

Information Disclosure WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2500 MEDIUM This Month

Path traversal in the Quick Playground WordPress plugin (versions ≤ 1.3.4) exposes arbitrary server files to authenticated administrators. The flaw exists in client-qckply_data.php where the qckply_data() function forwards a user-supplied filename POST parameter directly into file_get_contents() without sanitization, enabling traversal sequences to escape the webroot and reach files such as wp-config.php or /etc/passwd. No public exploit exists and the vulnerability is not listed in the CISA KEV catalog, but exploitation would yield database credentials and other secrets with high confidentiality impact.

PHP Path Traversal WordPress
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-8502 MEDIUM This Month

Sensitive information exposure in LearnPress WordPress LMS Plugin (all versions through 4.3.6) allows unauthenticated remote attackers to extract plaintext passwords and unpublished course content via a crafted REST API request. The /wp-json/lp/v1/courses/archive-course endpoint accepts two query parameters - c_status=all and return_type=json - that together bypass a publish-only post_status filter and suppress a safe DISTINCT(ID) field override, triggering an unrestricted SELECT * fallback query against the WordPress posts table. Exposed data includes post_password in plaintext for password-protected courses, and post_content, post_author, and post_name for draft, private, and pending courses. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the unauthenticated, low-complexity attack vector makes it trivially scriptable at scale.

Authentication Bypass Information Disclosure WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-7796 MEDIUM This Month

Stored Cross-Site Scripting in the EmbedPress WordPress plugin (all versions through 4.5.3) allows authenticated attackers with contributor-level access to persistently inject arbitrary JavaScript via the block 'url' attribute, executing in the browsers of any user who visits an affected page. The vulnerability originates in insufficient sanitization within EmbedPressBlockRenderer.php and Helper.php, as confirmed by Wordfence and traceable to specific lines in the plugin's source repository. No public exploit code or CISA KEV listing has been identified at time of analysis, but the Scope:Changed CVSS designation reflects that successful exploitation affects resources beyond the vulnerable component itself - namely, victim browser sessions.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-7665 MEDIUM This Month

Information exposure in Essential Addons for Elementor (all versions ≤ 6.6.4) allows unauthenticated remote attackers to extract content from password-protected, private, and draft WordPress posts via the plugin's ajax_load_more AJAX endpoint. The root cause (CWE-639) is that user-controlled query parameters are accepted without enforcing WordPress native post-visibility access controls, bypassing the platform's built-in confidentiality model. No public exploit code has been identified at time of analysis, but the zero-authentication, zero-complexity attack surface on one of the most widely deployed Elementor add-ons makes this a realistic target for automated scanning campaigns.

Authentication Bypass Information Disclosure WordPress Elementor
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-7795 MEDIUM This Month

Stored Cross-Site Scripting in the Click to Chat - WA Widget WordPress plugin (holithemes, all versions through 4.38) allows authenticated Contributor-level users to inject persistent JavaScript payloads that execute in victim browsers when the rendered WhatsApp chat button is clicked. The root cause is a double-encoding bypass: esc_attr() sanitization produces HTML entities that are decoded back to literal characters by the browser's HTML parser before JavaScript evaluation inside an onclick event handler, completely defeating the intended escaping. No public exploit has been identified at time of analysis, but the detailed technical write-up from Wordfence combined with publicly browsable vulnerable source code significantly lowers the barrier to exploitation. Vendor-released patch version 4.39 is available.

PHP XSS WordPress RCE
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-7537 HIGH This Week

Remote code execution in the MDJM Event Management WordPress plugin (versions through 1.7.8.3) allows authenticated administrators to upload arbitrary files, including executable PHP, via the mdjm_send_comm_email function which performs no file type, extension, or MIME validation. The flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS 3.1 score of 7.2, with publicly available exploit code existing on GitHub and a detailed write-up published by the researcher. No public exploit identified in CISA KEV, and exploitation requires administrator-level privileges, limiting realistic impact to post-compromise or insider scenarios.

File Upload WordPress RCE
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-7566 MEDIUM This Month

PHP Object Injection in the LearnPress - Backup & Migration Tool WordPress plugin (versions ≤ 4.1.4, by ThimPress) allows authenticated administrators to supply maliciously crafted serialized data through the plugin's import functionality, triggering unsafe PHP deserialization. The vulnerability itself carries no direct impact in isolation - exploitation is contingent on a separate plugin or theme installing a usable POP (Property-Oriented Programming) chain on the same site, at which point an attacker can escalate to arbitrary file deletion, sensitive data retrieval, or remote code execution. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the CVSS score of 6.6 (High complexity, High privileges required) reflects the constrained real-world conditions.

PHP Information Disclosure Deserialization WordPress
NVD VulDB
CVSS 3.1
6.6
EPSS
0.1%
CVE-2026-7565 MEDIUM This Month

Directory traversal in the LearnPress - Backup & Migration Tool plugin for WordPress (all versions through 4.1.4) allows authenticated administrators to read arbitrary files on the underlying server by supplying path traversal sequences via the 'import-user-file' parameter. Exploitation exposes highly sensitive server-side content - including wp-config.php database credentials, private keys, or system files - despite requiring high-privilege access. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV. The CVSS score of 4.9 reflects the high privilege barrier (PR:H), but the C:H confidentiality impact makes successful exploitation consequential.

Path Traversal WordPress
NVD VulDB
CVSS 3.1
4.9
EPSS
0.2%
CVE-2026-9280 MEDIUM This Month

Reflected XSS in the Ad Inserter - Ad Manager & AdSense Ads WordPress plugin (all versions through 2.8.15) enables unauthenticated attackers to inject arbitrary JavaScript into victim browsers by crafting malicious URLs targeting pages where iframe mode is active. The vulnerability exists because URL parameters passed through the plugin's iframe rendering path (class.php lines 3460, 3462, 3470) are insufficiently sanitized before output. Exploitation is contingent on a non-default configuration (iframe mode enabled) and requires social engineering to make a user click a crafted link, but no public exploit code has been identified at time of analysis.

XSS WordPress
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-9197 MEDIUM This Month

Directory traversal in the Smart Slider 3 WordPress plugin (all versions ≤ 3.5.1.36) exposes arbitrary server-side files to authenticated administrators via the replaceHTMLImage function in the plugin's slider export/backup subsystem. An attacker with administrator-level WordPress access can craft a request that traverses outside the intended directory and return the raw contents of sensitive files such as wp-config.php. No public exploit or CISA KEV listing exists at time of analysis, and the high privilege requirement (CVSS PR:H) substantially limits the realistic attack surface to insider threats, compromised admin accounts, or privilege-escalation chains.

Path Traversal WordPress
NVD VulDB
CVSS 3.1
4.9
EPSS
0.2%
CVE-2026-8991 MEDIUM This Month

Stored Cross-Site Scripting in the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (all versions through 1.3.9.7) allows authenticated administrators to persist malicious JavaScript via the 'drag_n_drop_text' and 'drag_n_drop_browse_text' plugin settings fields, which subsequently execute in the browsers of any site visitor accessing a page containing an affected CF7 upload form. The CVSS Scope:Changed designation reflects this cross-user impact - a compromised or rogue admin can silently weaponize public-facing forms without further interaction. No public exploit or CISA KEV listing exists at time of analysis, and the CVSS score of 4.4 reflects the high privilege and high complexity prerequisites that substantially limit opportunistic exploitation.

XSS File Upload WordPress
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-8438 HIGH This Week

Stored cross-site scripting in the All-In-One Security (AIOS) WordPress plugin through version 5.4.7 allows unauthenticated attackers to inject JavaScript that executes when administrators view the debug logs page. The flaw was reported by Wordfence and requires two specific plugin settings to be enabled simultaneously, and no public exploit identified at time of analysis. Successful exploitation enables nonce theft and privileged actions on behalf of the administrator, potentially leading to full site takeover.

XSS WordPress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-8901 HIGH This Week

Stored cross-site scripting in the Integration for Freshsales WordPress plugin (versions up to and including 1.0.15) allows unauthenticated attackers to inject arbitrary JavaScript via form submission data that executes when an administrator views the failed-CRM-call error log modal in wp-admin. The flaw, reported by Wordfence and tracked as CWE-79, carries CVSS 7.2 due to scope change (S:C) since the payload escapes from the form-submission context into the privileged admin panel, though no public exploit identified at time of analysis.

XSS WordPress Elementor
NVD VulDB
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-9281 MEDIUM This Month

Stored Cross-Site Scripting in the Master Addons for Elementor WordPress plugin (versions up to and including 3.1.0) allows authenticated attackers with author-level access to inject persistent JavaScript into pages by exploiting a broken authorization boundary in the Custom JS Extension. The flaw arises because the unfiltered_html capability check is enforced only during UI rendering (Elementor control registration) and entirely absent from the save handler, permitting a crafted POST to admin-ajax.php?action=elementor_ajax to store arbitrary scripts that execute in every subsequent visitor's browser. No public exploit or CISA KEV listing has been identified at time of analysis, though the Wordfence disclosure and direct source-code references confirm the issue is well-documented.

PHP XSS WordPress Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-9008 MEDIUM This Month

Missing authorization in the Page-list WordPress plugin (all versions up to and including 6.2) allows authenticated contributors to read private and draft page content beyond their intended access scope. The [pagelist_ext] shortcode in the pagelist_unqprfx_ext_shortcode() function passes attacker-supplied post_status, post_type, and show_meta_key attributes directly into get_pages() and get_post_meta() with no capability check, and a critical amplification trigger - when no child pages exist, the query falls back to child_of => 0, broadening scope to every matching page on the entire site. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and straightforward exploitation path via shortcode injection make this a meaningful insider-threat risk on sites with sensitive unpublished content.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-9719 MEDIUM This Month

Cross-Site Request Forgery in the LatePoint Calendar Booking Plugin for WordPress (all versions through 5.6.0) enables unauthenticated remote attackers to manipulate invoice status records - including fraudulently marking unpaid invoices as paid - by tricking an authenticated site administrator into triggering a forged HTTP request. The flaw originates in the change_status function of the invoices controller, which lacks proper WordPress nonce validation. No public exploit code or CISA KEV listing exists at time of analysis; however, the financial integrity risk to booking-oriented WordPress sites is disproportionately high relative to the moderate CVSS score of 4.3, which is suppressed by the required user interaction (UI:R) rather than by low business impact.

CSRF WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-9290 HIGH POC This Week

Local File Inclusion in the WP User Manager WordPress plugin (versions through 2.9.17) allows unauthenticated remote attackers to include and execute arbitrary .php files on the server via the profile tab query parameter. The flaw stems from missing validation of the tab value before it is passed to the profile template loader, enabling path traversal to any PHP file the web server can read. No public exploit is identified at time of analysis, and the issue is not listed in CISA KEV, but POC behavior is effectively documented in the upstream fix's traversal test cases.

WordPress Path Traversal RCE PHP Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-8976 MEDIUM This Month

Authorization bypass in the RSS Aggregator by Feedzy WordPress plugin (all versions through 5.1.7) allows authenticated contributors to perform privileged import management actions - including force-deleting all posts tied to any import job, creating and executing RSS imports, clearing error logs, and enumerating taxonomy terms and post meta keys. The attack surface is widened by a nonce leak: the required nonce is exposed to any user holding the edit_posts capability via the feedzyjs localized script injected into the WordPress block editor, eliminating the need for any separate token-theft step. No public exploit has been identified at time of analysis, and CISA KEV listing is absent.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site request forgery (CSRF) vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery.0.10. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress
NVD VulDB
EPSS 0% CVSS 4.6
MEDIUM This Month

Cross-Site request forgery (CSRF) vulnerability in YITH YITH WooCommerce Product Slider Carousel allows Cross Site Request Forgery.16.0. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF WordPress
NVD VulDB
EPSS 0% CVSS 8.1
HIGH POC This Week

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticated attackers to forge RPC commands as the connected administrator by bypassing signature verification in the UpdraftPlus_Remote_Communications_V2::wp_loaded handler. A flaw in how unchecked decryption return values are handled collapses the encryption key to an all-zero value, enabling arbitrary plugin upload and activation. No public exploit identified at time of analysis, but the plugin's massive WordPress install base and trivial post-bypass impact make this a high-priority patch.

Jwt Attack Authentication Bypass WordPress +1
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM This Month

Stored Cross-Site Scripting in the Open User Map PRO WordPress plugin (versions ≤ 1.4.31) via the 'oum_location_notification' parameter enables unauthenticated attackers to persistently inject arbitrary JavaScript into WordPress pages. The injected payload executes in any visitor's browser upon accessing the affected page, with scope extending beyond the originating application context (S:C). No public exploit code or CISA KEV listing has been identified at time of analysis, but the unauthenticated injection surface lowers the barrier for mass exploitation against unpatched sites.

WordPress XSS
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC This Week

Unauthenticated time-based SQL injection in the Newsletters plugin for WordPress (versions up to and including 4.13) allows remote attackers to extract sensitive database contents via the 'wpmlsubscriber_id' parameter. The flaw stems from insufficient input escaping and lack of prepared statements, and no public exploit identified at time of analysis. The CVSS 7.5 score reflects confidentiality-only impact with no required authentication or user interaction.

SQLi WordPress
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated privilege escalation in the Doctreat Core WordPress plugin (versions ≤ 1.6.8) allows remote attackers to register accounts directly as administrators by abusing insufficient role validation in the doctreat_process_registration() function. With a CVSS of 9.8 and trivial exploitability (AV:N/AC:L/PR:N/UI:N), full site takeover is possible without credentials, though no public exploit has been identified at time of analysis and the CVE is not currently listed in CISA KEV.

Privilege Escalation WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Easy Image Collage WordPress plugin (all versions through 1.13.6) allows authenticated attackers with author-level access to permanently inject arbitrary JavaScript into pages via the `grid[properties][borderColor]` and `grid[images][N][attachment_url]` parameters, which executes in victims' browsers upon page load. The critical aggravating factor is that payloads are persisted via WordPress's `update_post_meta()` API rather than through post content, which deliberately sidesteps the `unfiltered_html` capability check that normally prevents lower-privilege users from injecting raw HTML - meaning site administrators cannot block this attack path through standard WordPress role controls alone. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the low privilege requirement and well-documented bypass of WordPress hardening make this a credible threat on multi-author sites.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the MW WP Form WordPress plugin (all versions through 5.1.3) allows authenticated editor-level attackers to inject persistent malicious scripts via the 'memo' parameter that execute in the browsers of any user who views the affected contact data page. The vulnerability is made possible by a specific bypass of WordPress Core sanitization: because memo values are stored via update_post_meta() rather than wp_insert_post(), the native wp_kses_post() and unfiltered_html capability checks are never invoked, permitting editors - who are normally prevented from injecting raw HTML - to break out of the textarea element using injected closing tags. No public exploit has been identified at time of analysis, and the CVSS 4.4 Medium score reflects the high privilege and high complexity prerequisites.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the aThemes Addons for Elementor WordPress plugin (versions up to and including 1.1.8) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'title_tag' widget setting in the Posts Timeline and Posts Carousel widgets. The injected payload executes in the browsers of any user who subsequently visits the compromised page, enabling session hijacking, credential theft, or malicious redirects. No public exploit or CISA KEV listing has been identified at time of analysis, though the contributor-level authentication barrier is low in multi-author WordPress deployments.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Unauthenticated arbitrary file upload in the Schema & Structured Data for WP & AMP WordPress plugin before version 1.60 allows remote attackers to upload any file type accepted by WordPress's media library through frontend AJAX handlers intended for images and videos only. The plugin fails to perform user capability checks and does not validate uploaded file content against the endpoint's declared media type. Publicly available exploit code exists via WPScan, increasing the urgency for immediate patching despite no confirmed in-the-wild exploitation.

File Upload WordPress
NVD WPScan
EPSS 0% CVSS 3.5
LOW POC PATCH Monitor

Stored Cross-Site Scripting in Store Locator WordPress plugin before 1.6.6 allows administrator-level users to inject persistent malicious scripts into the plugin's admin settings page, with execution triggered when any privileged user visits the page. Critically, this bypass works even when WordPress's `unfiltered_html` capability is restricted - a control commonly enforced in multisite networks - meaning a subsite admin could target visiting super admins. A publicly available exploit exists via WPScan, though no active exploitation has been confirmed by CISA KEV. CVSS rates this 3.5 (Low), but multisite deployments face materially higher practical risk.

XSS WordPress
NVD WPScan
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Stored cross-site scripting in the Anti-Spam by CleanTalk Spam Protection WordPress plugin before 6.79 allows unauthenticated remote attackers to inject arbitrary JavaScript into approved comments via a custom shortcode in the email-encoding feature, with execution occurring when any visitor or administrator views the affected post. Publicly available exploit code exists per WPScan, increasing exposure for the plugin's large WordPress installation base, though it requires user interaction (UI:R) to trigger the payload. The high CVSS score of 8.8 reflects the potential for administrator account compromise leading to full site takeover.

XSS WordPress
NVD WPScan
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Unauthenticated SQL injection in the XStore WordPress theme before 9.7.3 allows remote attackers to inject arbitrary SQL queries through an AJAX action that fails to sanitise and escape a user-supplied parameter. Publicly available exploit code exists per WPScan, and the changed scope (S:C) with high confidentiality impact indicates an attacker can extract sensitive data across security boundaries - including WordPress user records, password hashes, and configuration secrets - without any credentials or user interaction.

SQLi WordPress
NVD WPScan
EPSS 0% CVSS 6.4
MEDIUM This Month

DOM-Based Stored Cross-Site Scripting in the Animation Addons for Elementor WordPress plugin (all versions up to and including 2.6.7) allows authenticated attackers holding Contributor-level access or higher to inject persistent malicious scripts through multiple unsanitized plugin parameters. The injected payload executes in the browsers of any user who subsequently loads an affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit identified at time of analysis and the plugin is not listed in the CISA KEV catalog, but the Changed scope (S:C) in the CVSS vector elevates real-world impact beyond the 6.4 score suggests for multi-author WordPress deployments.

XSS WordPress
NVD
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Monitor

WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE PHP WordPress +1
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

WordPress Plugin PICA Photo Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC Monitor

KittyCatfish 2.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to read database contents by exploiting an unescaped GET parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Wow Viral Signups 2.1 WordPress plugin contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by exploiting the unescaped 'idsignup' POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to read arbitrary database information by exploiting an unescaped POST parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC Monitor

Product Catalog 8 1.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Simply Poll 1.4.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the 'pollid' POST. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure PHP WordPress +1
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized subscription cancellation in weDevs User Frontend WordPress plugin (all versions through 4.3.2) allows any authenticated subscriber to cancel any other user's subscription pack, including administrators. The flaw stems from a missing capability check on the user_subscription_cancel() function, meaning low-privileged users can invoke privileged actions. No public exploit code has been identified and this is not listed in CISA KEV, but the low attack complexity and broad attacker pool (any registered subscriber) make this a realistic insider or account-takeover amplification risk.

Authentication Bypass WordPress
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Authenticated PHP Object Injection in the Blocksy WordPress theme (versions ≤ 2.1.35) allows contributor-level users to escalate to remote code execution by storing a malicious serialized object in post meta that is later deserialized during the V200 database migration. Wordfence-reported flaw chains weak input sanitization in blocksy_sanitize_post_meta_options() with an unconditional @unserialize() call in SearchReplacer::run_recursively(), triggering RaiiPattern::__destruct() to invoke arbitrary callables via call_user_func(). No public exploit identified at time of analysis, but the low-privilege requirement and high impact make this a meaningful priority for sites running upgraded Blocksy installations.

PHP Deserialization WordPress +1
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Prime Elementor Addons for WordPress (all versions through 1.3.3) allows authenticated attackers with contributor-level access to persist malicious scripts in widget HTML Tag settings that execute in any visitor's browser on page load. The vulnerability is notable for a specific filter bypass: payloads crafted without HTML angle brackets (e.g., 'img src=x onerror=alert(document.domain)') pass unmodified through Elementor's wp_kses_post() sanitization at save time, meaning even users lacking the unfiltered_html capability can inject effective XSS. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

XSS WordPress Elementor
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

{id}-slug/) enforces a Content-Security-Policy header that blocks all inline scripts, meaning the attack surface is exclusively the WordPress admin dashboard preview context. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

XSS WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Server-side file exfiltration in the Slider Revolution WordPress plugin (≤7.0.10) allows any authenticated subscriber to copy arbitrary server files into the publicly accessible uploads directory. Three compounding design flaws enable this: a backend AJAX nonce is leaked to all authenticated users via the admin_footer hook, the image-creation action bypasses administrator-only access controls via an explicit allowlist entry, and the underlying file-copy function accepts local filesystem paths without restriction to HTTP/HTTPS URLs. No public exploit code or active exploitation has been identified at time of analysis, but the low privilege bar (subscriber-level account) and high confidentiality impact make this a meaningful risk for any WordPress site with open user registration.

Information Disclosure WordPress Slider Revolution
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation in the Events Calendar for GeoDirectory WordPress plugin (versions up to and including 2.3.28) allows authenticated Subscriber-level users to elevate to Administrator by abusing the ajax_ayi_action() AJAX handler, which writes attacker-controlled POST parameters directly into the wp_capabilities user meta key. The flaw stems from insufficient input filtering (strip_tags/esc_sql with no allow-list) on the type and postid fields before they reach update_user_meta(), enabling an attacker to set their own role to administrator. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Privilege Escalation WordPress
NVD
EPSS 0% CVSS 3.5
LOW PATCH Monitor

Stored cross-site scripting in the Custom Block Builder WordPress plugin (versions before 4.3.0) allows authenticated administrators to inject persistent JavaScript into block template code fields that executes in every visitor's browser on pages embedding the affected block. The vulnerability is specifically scoped to multisite WordPress installations or single-site deployments where DISALLOW_UNFILTERED_HTML is defined - environments that are supposed to restrict the unfiltered_html capability from lower-trust administrators. The root cause is inconsistent capability enforcement: certain code paths writing to block template fields bypass the unfiltered_html check that should gate raw HTML/JS input. No public exploit identified at time of analysis, and the CVSS score of 3.5 reflects the high-privilege prerequisite and limited confidentiality/integrity impact.

XSS WordPress
NVD WPScan VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

WPForms WordPress plugin versions prior to 1.10.0.5 allow unauthenticated remote attackers to forge PayPal webhook payloads and manipulate the payment state of arbitrary transactions due to absent webhook authenticity verification. The endpoint blindly processes incoming PayPal webhook events without validating their origin or integrity, enabling attackers to mark pending or failed payments as completed. No public exploit has been identified at time of analysis, and EPSS at 0.02% (7th percentile) reflects low current exploitation activity, though the business impact of fraudulent payment confirmation can materially exceed what the CVSS integrity score suggests.

Authentication Bypass WordPress
NVD WPScan VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the kk Blog Card WordPress plugin (all versions ≤ 1.3) allows authenticated contributors to inject persistent JavaScript payloads via unsanitized 'href' and 'type' attributes of the [blog-card] shortcode. The flaw, rooted in direct attribute concatenation without sanitization or escaping in kk-blog-card-shortcode.php, executes injected scripts in the browser of any visitor loading an affected page - including administrators. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the changed scope (S:C) in the CVSS vector elevates potential impact beyond the plugin boundary.

PHP XSS WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected Cross-Site Scripting in the Product Filter Widget for Elementor WordPress plugin (versions up to and including 1.0.6) enables unauthenticated attackers to inject and execute arbitrary JavaScript in a victim's browser session. The vulnerability stems from unsanitized output of the 'args[filterFormArray]' parameter in a publicly accessible AJAX endpoint registered via wp_ajax_nopriv_ with no nonce verification or capability check, meaning any unauthenticated request to admin-ajax.php can carry the payload. Exploitation is delivered via a CSRF-style auto-submitting form, requiring the attacker to social-engineer a victim into visiting an attacker-controlled page; no public exploit code or CISA KEV listing has been identified at time of analysis.

PHP XSS CSRF +2
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in FastPicker (versions up to and including 1.0.2), a WooCommerce order management plugin for WordPress, allows unauthenticated remote attackers to modify the plugin's administrative settings by tricking a logged-in site administrator into clicking a crafted link. Specifically, the `settingsPage` function in `Admin.php` lacks proper nonce validation, enabling forged POST requests that can toggle the plugin's webhook integration and redirect FastPicker and KDZ API endpoint URLs to attacker-controlled infrastructure. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

CSRF WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the jQuery Hover Footnotes WordPress plugin (all versions up to and including 1.4) enables unauthenticated remote attackers to chain CSRF into persistent stored Cross-Site Scripting affecting every visitor on the compromised site. The plugin's jqFootnotes_options_subpanel function lacks proper nonce validation, allowing a forged request to overwrite settings such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title with arbitrary HTML or JavaScript. Because these values are persisted via WordPress's update_option() without sanitization and rendered unescaped in frontend page output, a single successful social-engineering action against one administrator produces site-wide persistent XSS. No public exploit code is identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

CSRF XSS WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-Site Request Forgery combined with stored XSS in the WP Emoticon Rating WordPress plugin (all versions ≤ 1.0.1) allows unauthenticated remote attackers to persistently inject malicious scripts into site settings by tricking a logged-in administrator into clicking a crafted link. The CVSS Scope:Changed rating reflects that the injected payload executes beyond the admin context, potentially affecting all site visitors. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

CSRF WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

{{...}}). The attack exploits an attribute-breakout technique - a double-quote followed by an event handler - that contains no angle brackets and therefore evades WordPress core's wp_kses_post() filter, which only strips disallowed HTML tags rather than sanitizing attribute injection contexts. The changed scope (S:C in the CVSS vector) means injected scripts execute in any victim's browser upon visiting a page containing the malicious footnote, enabling session theft, credential harvesting, or defacement at scale across site visitors. No public exploit code or CISA KEV listing has been identified at time of analysis.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the WP ApplicantStack Jobs Display WordPress plugin (all versions through 1.1.1) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via unsanitized shortcode attributes. Because the CVSS vector reflects Changed Scope (S:C), successful injection impacts the browsers of any user - including administrators - who subsequently load the affected page, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit has been identified at time of analysis, and the vulnerability has not been added to CISA KEV.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the WP GDPR Cookie Consent WordPress plugin (versions up to and including 1.0.0, by techjewel) allows authenticated attackers with subscriber-level access to inject persistent malicious scripts into pages served to all site visitors. The vulnerability chains three distinct weaknesses in the handleAjaxCalls() function: absent capability verification, missing nonce validation, and unsanitized gdprConfig values that are echoed verbatim by generateCSS() into a <style> block on wp_head. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (subscriber-level) and changed scope (S:C) make this a meaningful risk for multi-user WordPress sites.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the ePaperFlip Publisher WordPress plugin (all versions up to and including 1) permits authenticated Contributors to inject arbitrary JavaScript via the 'publicationid' attribute of the epaperflip_embed shortcode, which is written unsanitized directly into inline JavaScript on rendered pages. The CVSS Changed scope (S:C) reflects that the injected payload executes in the browser context of any visitor who loads the compromised page, crossing trust boundaries beyond the plugin itself. No public exploit code has been identified at time of analysis and this vulnerability is not currently listed in the CISA KEV catalog.

XSS WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the AJAX Report Comments WordPress plugin (≤2.0.4) allows unauthenticated attackers to modify plugin settings by tricking a logged-in administrator into triggering a forged request. The rc_options_page function in report-comments.php performs missing or incorrect nonce validation, enabling an attacker to overwrite notification email addresses, comment thresholds, link text, and message bodies without any privileges of their own. No public exploit code or CISA KEV listing has been identified at time of analysis, but the notification email hijack vector makes this a meaningful integrity risk on affected sites.

CSRF WordPress
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Unauthenticated tenant data disclosure in the 6Storage Rentals WordPress plugin (versions up to and including 2.22.0) allows remote attackers to read and modify arbitrary tenant profile records - including names, emails, phone numbers, physical addresses, and SSNs - by enumerating numeric userId values. The flaw stems from AJAX handlers exposed via wp_ajax_nopriv_* hooks without ownership checks or nonce validation. No public exploit identified at time of analysis, but the bug is trivially scriptable and reported by Wordfence.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery combined with reflected XSS in the WpMobi WordPress plugin (all versions through 0.0.3) allows unauthenticated attackers to execute arbitrary JavaScript in an administrator's browser session by forging a settings-save request. The handleSaveGeneralSettings function performs no nonce validation, permitting any remote party to submit crafted plugin settings on behalf of an authenticated admin. A particularly notable aspect is that the injected script in the app_name parameter fires even when server-side validation rejects the value, because the view layer re-renders the form with the unsanitized in-memory value rather than a sanitized fallback - meaning the XSS trigger does not depend on successful data persistence. No public exploit code or CISA KEV listing has been identified at time of analysis.

CSRF WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the RomanCart Ecommerce WordPress plugin (versions ≤2.0.8) allows authenticated attackers holding contributor-level access or above to inject persistent malicious scripts via the 'blclass' attribute - and other attributes - of the romancart_button shortcode. The injected payload executes in any visitor's browser upon page load, enabling session hijacking, credential theft, or administrative account takeover. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and changed scope (S:C) elevate real-world concern for multi-author WordPress deployments.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

WP-Ultimate-Map plugin for WordPress (versions up to and including 1.1) is vulnerable to a chained CSRF-to-stored-XSS attack that allows unauthenticated network attackers to hijack plugin settings and inject persistent JavaScript into the WordPress admin panel. The missing nonce check on `process_init()` - hooked to `admin_init` - means any forged POST with a `save-setting` parameter will overwrite plugin options without any authentication or state validation. The injected `zoom-level` value is then stored unsanitized and reflected verbatim into an HTML attribute and inline JavaScript block on the settings page, completing the XSS chain. No public exploit identified at time of analysis.

CSRF WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the TinyMCE Shortcode Addon WordPress plugin (all versions ≤ 1.0.0) allows authenticated attackers with contributor-level access or higher to inject persistent JavaScript via the unsanitized 'btnrel' shortcode attribute. The injected script is stored server-side and executes in the browser of every subsequent visitor to the affected page, including administrators - enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

XSS WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated settings manipulation in Helpfulcrowd Product Reviews plugin for WordPress (versions up to and including 1.2.9) allows any remote attacker to overwrite arbitrary plugin configuration values in the WordPress database. The vulnerability stems from a PHP type juggling flaw in the token validation function combined with an openly accessible REST endpoint registered with `__return_true` as its permission callback. By submitting a JSON boolean `true` as the token value, an attacker bypasses the loose-comparison check (`!=`) in `helpfulcrowd_validate_token()` and gains full write access to the `helpfulcrowd_options` database option with no sanitization or allowlist enforcement. No public exploit or CISA KEV listing is identified at time of analysis.

PHP Memory Corruption WordPress +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in the Recover Exit For WooCommerce WordPress plugin (versions up to and including 1.0.3) allows remote unauthenticated attackers to include arbitrary local PHP files via the unsanitized `tpf` POST parameter passed to `include()` in the `recover_exit()` function. Successful exploitation can disclose sensitive files such as `wp-config.php` and, when combined with file upload primitives or log poisoning, escalate to remote code execution. No public exploit identified at time of analysis, though the vulnerable sink is documented in the plugin source on plugins.trac.wordpress.org.

Information Disclosure WordPress Path Traversal +4
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in WP Meta Sort Posts WordPress plugin (all versions ≤ 0.9) allows unauthenticated remote attackers to modify plugin settings by tricking a logged-in administrator into clicking a crafted link, due to missing nonce validation in msp-options.php. The CVSS vector (PR:N, UI:R) confirms the attacker requires no authentication but must social-engineer an administrator, with impact limited to changing the msp_loop_file and msp_nav_location settings. No active exploitation confirmed - this CVE is not listed in CISA KEV, no public exploit code has been identified, and EPSS data was not provided in available intelligence.

CSRF WordPress PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Global Body Mass Index Calculator WordPress plugin (versions up to and including 1.2) allows authenticated contributors to persistently inject arbitrary JavaScript into any page rendering the 'gbmicalc' shortcode. The vulnerability arises from PHP's @extract() call on unsanitized shortcode attributes followed by unescaped output into both an HTML style attribute context and an HTML body context inside GBMI_Calc_Widget::widget(), enabling attribute-breakout payloads. No public exploit code has been identified at time of analysis and no CISA KEV listing exists, but the Wordfence-confirmed contributor-level requirement makes this a realistic risk for any multi-author WordPress installation.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Extra Settings for RocketChat WordPress plugin (versions up to and including 0.1) allows authenticated attackers with contributor-level access to permanently inject arbitrary JavaScript via the 'title' attribute of the [rocketchat] shortcode. The injected script persists in the database and executes in the browser of any site visitor who loads an affected page, enabling session hijacking, credential theft, or further privilege escalation depending on victim role. No public exploit code identified at time of analysis, and this CVE does not appear on the CISA KEV catalog.

XSS WordPress
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the FV Flowplayer Video Player WordPress plugin (versions through 7.5.49.7212) allows remote attackers to inject persistent JavaScript via the comment text field, which executes in any visitor's browser when the affected page is loaded. The flaw stems from insufficient input sanitization and output escaping in the comment-parsing routine and is reachable only when the non-default 'Parse Vimeo and YouTube links' (parse_comments) option is enabled and an administrator approves the malicious comment. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Enable Media Replace WordPress plugin (all versions through 4.1.8) allows authenticated attackers with Author-level access or higher to inject persistent malicious scripts via the unsanitized 'location_dir' parameter. The injected payload executes in the browser of any user who accesses an affected page, with scope changed (S:C) indicating cross-boundary impact - most critically, a low-privileged Author can compromise higher-privileged sessions including administrators. No public exploit identified at time of analysis, and no CISA KEV listing, but the low attack complexity and broad WordPress install base elevate practical risk.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Accordions plugin for WordPress (all versions through 2.3.23) enables authenticated attackers holding Custom-level roles or higher to permanently embed malicious JavaScript into Accordion body fields. The injected scripts execute in the browser of any user who subsequently visits an affected page, enabling session token theft, credential harvesting, or drive-by malware delivery within the WordPress site context. No public exploit has been identified at time of analysis, though an upstream fix commit is available in the plugin Trac repository.

XSS WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in WPZOOM's Recipe Card Blocks Lite WordPress plugin (all versions through 3.4.13) allows authenticated attackers with Author-level access or higher to inject persistent malicious scripts into published posts and recipe print views. The vulnerability is a sanitization bypass: the `WPZOOM_Helpers::deserialize_block_attributes` method re-decodes unicode-escaped character sequences back into raw HTML after WordPress's sanitization pipeline has already run, permitting crafted payloads in the recipe block's 'summary' and 'notes' attributes to survive sanitization and execute in victims' browsers. No public exploit code or CISA KEV listing exists at time of analysis, but the CVSS Changed Scope (S:C) rating reflects cross-user impact, including potential administrator session hijacking.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE WordPress
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE WordPress +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP WordPress +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XSS
NVD Exploit-DB
EPSS 0% CVSS 8.7
HIGH POC This Week

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP WordPress +1
NVD Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

WordPress Plugin admin-word-count-column 2.2 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting null byte injection in the path. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP Path Traversal
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress Plugin WP24 Domain Check 1.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XSS
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress Plugin Stripe Payments 2.0.39 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP XSS
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress Plugin WP-Paginate 2.1.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the preset parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Time-based SQL injection in the Photo Gallery by 10Web WordPress plugin (all versions through 1.8.41) enables authenticated contributors to exfiltrate arbitrary data from the WordPress database via a stored shortcode payload that is subsequently triggered without authentication. The attack exploits the 'compact_album_order_by' parameter passed through the 'shortcode_bwg' AJAX handler, where insufficient escaping and absent query preparation allow appended SQL clauses to survive into execution. Critically, the stored malicious shortcode can be activated by the unauthenticated 'bwg_frontend_data' AJAX handler, collapsing the effective authentication barrier after the initial store step. No public exploit code or CISA KEV listing has been identified at time of analysis.

SQLi WordPress
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Privilege escalation in the Booking Package plugin for WordPress (versions up to and including 1.7.16) allows authenticated attackers with Editor-level access or above to take over any account, including Administrator accounts, by abusing the 'updateUser' branch of the package_app_action AJAX endpoint. The handler validates only a nonce and passes a hard-coded administrator flag to Schedule::updateUser(), letting attackers supply arbitrary target user IDs to wp_update_user() and reset the email and password of any account. No public exploit identified at time of analysis, but the issue was disclosed by Wordfence and results in full site compromise once an Editor account is obtained.

Authentication Bypass Privilege Escalation WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Log injection in the Debug Log Manager WordPress plugin (versions up to and including 2.5.0) allows unauthenticated remote attackers to write arbitrary forged entries into the site's debug log. The root cause is a broken authorization design: the `log_js_errors()` AJAX handler is registered for unauthenticated users via `wp_ajax_nopriv_log_js_errors`, and the only gate-a WordPress nonce-is publicly broadcast in every page's front-end HTML via `wp_localize_script()` whenever JavaScript error logging is enabled, rendering it non-secret and thus non-protective. Exploitation enables log spoofing, masking of real malicious activity behind fabricated noise, and manipulation of administrator triage decisions. No public exploit identified at time of analysis and this CVE is not listed in CISA KEV.

Information Disclosure WordPress
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in WP Maps (all versions through 4.9.4) allows authenticated attackers holding the wpgmp_manage_location capability - granted to administrators by default but delegable to lower-privileged roles - to inject persistent malicious scripts via the 'location_messages' parameter. The CVSS scope change (S:C) confirms the injected payload executes across victim browser sessions on any page rendering the affected shortcode, enabling session hijacking or unauthorized actions on behalf of site visitors. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV; however, the delegable capability expands the potential attacker pool beyond pure administrators.

XSS Google WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Insecure Direct Object Reference in the Klamra Paycal for Aspaclaria WordPress plugin (all versions through 1.1.4) allows authenticated attackers with subscriber-level access to download invoices belonging to other customers by enumerating sequential WordPress post IDs via the unvalidated 'invoice_id' parameter. Exposed data includes full name, email address, phone number, order total, line items, and customer notes - constituting a significant billing PII breach for any e-commerce site running this plugin. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV, but the low attack complexity and sequential enumeration method make mass harvesting of customer data straightforward for any authenticated user.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

{mapid}` endpoint - harvesting POI titles, addresses, geolocation coordinates, and body content - because the permission callback is hardcoded to `__return_true`. Separately, any authenticated user with at least Contributor-level WordPress access can issue write operations (update, delete, trash/restore, clone) against maps owned by other authors, because write endpoints gate only on the generic `edit_posts` capability and the model layer (`Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, `empty_trash()`) performs no ownership validation at any depth. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Squirrly SEO WordPress plugin (all versions through 12.4.16) allows authenticated attackers with contributor-level access to invoke privileged Squirrly cloud API operations reserved for administrators, including revoking the site's Google Search Console and Google Analytics integrations via the `api/gsc/revoke` and `api/ga/revoke` endpoints. The flaw stems from the plugin's failure to verify the `sq_manage_settings` capability before processing these state-changing cloud API calls, meaning any contributor can silently destroy critical SEO and analytics data connections without administrator knowledge. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Google WordPress
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

SQL Injection in OptinCraft (Drag & Drop Optins & Popup Builder for WordPress) versions up to and including 1.2.0 allows authenticated attackers with administrator-level access to extract sensitive data from the underlying WordPress database. The vulnerability exists in the 'order_by' parameter, which is passed without sufficient escaping or parameterized query preparation through the plugin's internal SQL compiler, enabling appending of arbitrary SQL to existing queries. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the high confidentiality impact and network-accessible attack vector make it a meaningful data-disclosure risk in multi-administrator WordPress environments.

SQLi WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated webhook forgery in WPForms (wpforms-lite ≤1.10.0.1) enables payment fraud by allowing any remote attacker who knows a valid PayPal subscription_id to manipulate subscription payment records - including forcing a cancelled or suspended subscription back to active status - without any credentials or user interaction. The PayPal Commerce webhook endpoint accepts and acts on arbitrary JSON POST payloads, performing no HMAC-SHA256 origin verification, and trusts attacker-supplied resource data once the event_type field passes a whitelist check. No public exploit has been identified and this vulnerability is not listed in CISA KEV at time of analysis, but the zero-complexity attack path makes independent exploitation straightforward for anyone possessing a valid subscription_id.

Information Disclosure WordPress
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Path traversal in the Quick Playground WordPress plugin (versions ≤ 1.3.4) exposes arbitrary server files to authenticated administrators. The flaw exists in client-qckply_data.php where the qckply_data() function forwards a user-supplied filename POST parameter directly into file_get_contents() without sanitization, enabling traversal sequences to escape the webroot and reach files such as wp-config.php or /etc/passwd. No public exploit exists and the vulnerability is not listed in the CISA KEV catalog, but exploitation would yield database credentials and other secrets with high confidentiality impact.

PHP Path Traversal WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Sensitive information exposure in LearnPress WordPress LMS Plugin (all versions through 4.3.6) allows unauthenticated remote attackers to extract plaintext passwords and unpublished course content via a crafted REST API request. The /wp-json/lp/v1/courses/archive-course endpoint accepts two query parameters - c_status=all and return_type=json - that together bypass a publish-only post_status filter and suppress a safe DISTINCT(ID) field override, triggering an unrestricted SELECT * fallback query against the WordPress posts table. Exposed data includes post_password in plaintext for password-protected courses, and post_content, post_author, and post_name for draft, private, and pending courses. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the unauthenticated, low-complexity attack vector makes it trivially scriptable at scale.

Authentication Bypass Information Disclosure WordPress
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the EmbedPress WordPress plugin (all versions through 4.5.3) allows authenticated attackers with contributor-level access to persistently inject arbitrary JavaScript via the block 'url' attribute, executing in the browsers of any user who visits an affected page. The vulnerability originates in insufficient sanitization within EmbedPressBlockRenderer.php and Helper.php, as confirmed by Wordfence and traceable to specific lines in the plugin's source repository. No public exploit code or CISA KEV listing has been identified at time of analysis, but the Scope:Changed CVSS designation reflects that successful exploitation affects resources beyond the vulnerable component itself - namely, victim browser sessions.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Information exposure in Essential Addons for Elementor (all versions ≤ 6.6.4) allows unauthenticated remote attackers to extract content from password-protected, private, and draft WordPress posts via the plugin's ajax_load_more AJAX endpoint. The root cause (CWE-639) is that user-controlled query parameters are accepted without enforcing WordPress native post-visibility access controls, bypassing the platform's built-in confidentiality model. No public exploit code has been identified at time of analysis, but the zero-authentication, zero-complexity attack surface on one of the most widely deployed Elementor add-ons makes this a realistic target for automated scanning campaigns.

Authentication Bypass Information Disclosure WordPress +1
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Click to Chat - WA Widget WordPress plugin (holithemes, all versions through 4.38) allows authenticated Contributor-level users to inject persistent JavaScript payloads that execute in victim browsers when the rendered WhatsApp chat button is clicked. The root cause is a double-encoding bypass: esc_attr() sanitization produces HTML entities that are decoded back to literal characters by the browser's HTML parser before JavaScript evaluation inside an onclick event handler, completely defeating the intended escaping. No public exploit has been identified at time of analysis, but the detailed technical write-up from Wordfence combined with publicly browsable vulnerable source code significantly lowers the barrier to exploitation. Vendor-released patch version 4.39 is available.

PHP XSS WordPress +1
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Remote code execution in the MDJM Event Management WordPress plugin (versions through 1.7.8.3) allows authenticated administrators to upload arbitrary files, including executable PHP, via the mdjm_send_comm_email function which performs no file type, extension, or MIME validation. The flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS 3.1 score of 7.2, with publicly available exploit code existing on GitHub and a detailed write-up published by the researcher. No public exploit identified in CISA KEV, and exploitation requires administrator-level privileges, limiting realistic impact to post-compromise or insider scenarios.

File Upload WordPress RCE
NVD GitHub VulDB
EPSS 0% CVSS 6.6
MEDIUM This Month

PHP Object Injection in the LearnPress - Backup & Migration Tool WordPress plugin (versions ≤ 4.1.4, by ThimPress) allows authenticated administrators to supply maliciously crafted serialized data through the plugin's import functionality, triggering unsafe PHP deserialization. The vulnerability itself carries no direct impact in isolation - exploitation is contingent on a separate plugin or theme installing a usable POP (Property-Oriented Programming) chain on the same site, at which point an attacker can escalate to arbitrary file deletion, sensitive data retrieval, or remote code execution. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the CVSS score of 6.6 (High complexity, High privileges required) reflects the constrained real-world conditions.

PHP Information Disclosure Deserialization +1
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

Directory traversal in the LearnPress - Backup & Migration Tool plugin for WordPress (all versions through 4.1.4) allows authenticated administrators to read arbitrary files on the underlying server by supplying path traversal sequences via the 'import-user-file' parameter. Exploitation exposes highly sensitive server-side content - including wp-config.php database credentials, private keys, or system files - despite requiring high-privilege access. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV. The CVSS score of 4.9 reflects the high privilege barrier (PR:H), but the C:H confidentiality impact makes successful exploitation consequential.

Path Traversal WordPress
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected XSS in the Ad Inserter - Ad Manager & AdSense Ads WordPress plugin (all versions through 2.8.15) enables unauthenticated attackers to inject arbitrary JavaScript into victim browsers by crafting malicious URLs targeting pages where iframe mode is active. The vulnerability exists because URL parameters passed through the plugin's iframe rendering path (class.php lines 3460, 3462, 3470) are insufficiently sanitized before output. Exploitation is contingent on a non-default configuration (iframe mode enabled) and requires social engineering to make a user click a crafted link, but no public exploit code has been identified at time of analysis.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM This Month

Directory traversal in the Smart Slider 3 WordPress plugin (all versions ≤ 3.5.1.36) exposes arbitrary server-side files to authenticated administrators via the replaceHTMLImage function in the plugin's slider export/backup subsystem. An attacker with administrator-level WordPress access can craft a request that traverses outside the intended directory and return the raw contents of sensitive files such as wp-config.php. No public exploit or CISA KEV listing exists at time of analysis, and the high privilege requirement (CVSS PR:H) substantially limits the realistic attack surface to insider threats, compromised admin accounts, or privilege-escalation chains.

Path Traversal WordPress
NVD VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (all versions through 1.3.9.7) allows authenticated administrators to persist malicious JavaScript via the 'drag_n_drop_text' and 'drag_n_drop_browse_text' plugin settings fields, which subsequently execute in the browsers of any site visitor accessing a page containing an affected CF7 upload form. The CVSS Scope:Changed designation reflects this cross-user impact - a compromised or rogue admin can silently weaponize public-facing forms without further interaction. No public exploit or CISA KEV listing exists at time of analysis, and the CVSS score of 4.4 reflects the high privilege and high complexity prerequisites that substantially limit opportunistic exploitation.

XSS File Upload WordPress
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the All-In-One Security (AIOS) WordPress plugin through version 5.4.7 allows unauthenticated attackers to inject JavaScript that executes when administrators view the debug logs page. The flaw was reported by Wordfence and requires two specific plugin settings to be enabled simultaneously, and no public exploit identified at time of analysis. Successful exploitation enables nonce theft and privileged actions on behalf of the administrator, potentially leading to full site takeover.

XSS WordPress
NVD VulDB
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Integration for Freshsales WordPress plugin (versions up to and including 1.0.15) allows unauthenticated attackers to inject arbitrary JavaScript via form submission data that executes when an administrator views the failed-CRM-call error log modal in wp-admin. The flaw, reported by Wordfence and tracked as CWE-79, carries CVSS 7.2 due to scope change (S:C) since the payload escapes from the form-submission context into the privileged admin panel, though no public exploit identified at time of analysis.

XSS WordPress Elementor
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Master Addons for Elementor WordPress plugin (versions up to and including 3.1.0) allows authenticated attackers with author-level access to inject persistent JavaScript into pages by exploiting a broken authorization boundary in the Custom JS Extension. The flaw arises because the unfiltered_html capability check is enforced only during UI rendering (Elementor control registration) and entirely absent from the save handler, permitting a crafted POST to admin-ajax.php?action=elementor_ajax to store arbitrary scripts that execute in every subsequent visitor's browser. No public exploit or CISA KEV listing has been identified at time of analysis, though the Wordfence disclosure and direct source-code references confirm the issue is well-documented.

PHP XSS WordPress +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in the Page-list WordPress plugin (all versions up to and including 6.2) allows authenticated contributors to read private and draft page content beyond their intended access scope. The [pagelist_ext] shortcode in the pagelist_unqprfx_ext_shortcode() function passes attacker-supplied post_status, post_type, and show_meta_key attributes directly into get_pages() and get_post_meta() with no capability check, and a critical amplification trigger - when no child pages exist, the query falls back to child_of => 0, broadening scope to every matching page on the entire site. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and straightforward exploitation path via shortcode injection make this a meaningful insider-threat risk on sites with sensitive unpublished content.

Authentication Bypass WordPress
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the LatePoint Calendar Booking Plugin for WordPress (all versions through 5.6.0) enables unauthenticated remote attackers to manipulate invoice status records - including fraudulently marking unpaid invoices as paid - by tricking an authenticated site administrator into triggering a forged HTTP request. The flaw originates in the change_status function of the invoices controller, which lacks proper WordPress nonce validation. No public exploit code or CISA KEV listing exists at time of analysis; however, the financial integrity risk to booking-oriented WordPress sites is disproportionately high relative to the moderate CVSS score of 4.3, which is suppressed by the required user interaction (UI:R) rather than by low business impact.

CSRF WordPress
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC This Week

Local File Inclusion in the WP User Manager WordPress plugin (versions through 2.9.17) allows unauthenticated remote attackers to include and execute arbitrary .php files on the server via the profile tab query parameter. The flaw stems from missing validation of the tab value before it is passed to the profile template loader, enabling path traversal to any PHP file the web server can read. No public exploit is identified at time of analysis, and the issue is not listed in CISA KEV, but POC behavior is effectively documented in the upstream fix's traversal test cases.

WordPress Path Traversal RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the RSS Aggregator by Feedzy WordPress plugin (all versions through 5.1.7) allows authenticated contributors to perform privileged import management actions - including force-deleting all posts tied to any import job, creating and executing RSS imports, clearing error logs, and enumerating taxonomy terms and post meta keys. The attack surface is widened by a nonce leak: the required nonce is exposed to any user holding the edit_posts capability via the feedzyjs localized script injected into the WordPress block editor, eliminating the need for any separate token-theft step. No public exploit has been identified at time of analysis, and CISA KEV listing is absent.

Authentication Bypass WordPress
NVD VulDB
Prev Page 9 of 194 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy