WP-Safety
Live Feed

RecentVulnerabilities.

WordPress plugin and theme CVEs published in the last 30 days, sorted by severity. Updated continuously from the Wordfence Intelligence feed.

Time Window:

100 vulnerabilities found

CVE-2026-4160mediumAuthorization Bypass Through User-Controlled Key

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder · CVSS 5.3 · Apr 16, 2026

CVE-2026-3369mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Better Find and Replace – AI-Powered Suggestions <= 1.7.9 - Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Image Title

Better Find and Replace – AI-Powered Suggestions · CVSS 5.4 · Apr 15, 2026

CVE-2026-3155lowMissing Authorization

OneSignal – Web Push Notifications <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Post Meta Deletion via 'post_id'

OneSignal – Web Push Notifications · CVSS 3.1 · Apr 15, 2026

CVE-2026-3489highImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

DirectoryPress – Business Directory And Classified Ad Listing <= 3.6.26 - Unauthenticated SQL Injection via 'packages'

DirectoryPress – Business Directory And Classified Ad Listing · CVSS 7.5 · Apr 15, 2026

CVE-2026-0718mediumMissing Authorization

Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX <= 5.0.5 - Missing Authorization to Limited Post Meta Modification

Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX · CVSS 5.3 · Apr 15, 2026

CVE-2025-14868highImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Career Section <= 1.6 - Cross-Site Request Forgery to Arbitrary File Deletion

Career Section · CVSS 8.8 · Apr 15, 2026

CVE-2026-3876highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Prismatic <= 3.7.3 - Unauthenticated Stored Cross-Site Scripting via 'prismatic_encoded' Pseudo-Shortcode

Prismatic · CVSS 7.2 · Apr 15, 2026

CVE-2026-3875mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BetterDocs <= 4.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

BetterDocs – Knowledge Base Docs & FAQ Solution for Elementor & Block Editor · CVSS 6.4 · Apr 15, 2026

CVE-2026-2840mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Email Encoder – Protect Email Addresses and Phone Numbers <= 2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via eeb_mailto Shortcode

Email Encoder – Protect Email Addresses and Phone Numbers · CVSS 6.4 · Apr 15, 2026

CVE-2026-1572mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Unpatched

Livemesh Addons by Elementor <= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings

Livemesh Addons by Elementor · CVSS 6.4 · Apr 15, 2026

CVE-2026-1620highImproper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') Unpatched

Livemesh Addons by Elementor <= 9.0 - Authenticated (Contributor+) Local File Inclusion via Widget Template Parameter

Livemesh Addons by Elementor · CVSS 8.8 · Apr 15, 2026

CVE-2025-13364mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'put_wpgm' Shortcode

WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters · CVSS 6.4 · Apr 15, 2026

CVE-2026-3995mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Unpatched

OPEN-BRAIN <= 0.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'API Key' Setting

OPEN-BRAIN · CVSS 4.4 · Apr 15, 2026

CVE-2026-3355mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Customer Reviews for WooCommerce <= 5.101.0 - Reflected Cross-Site Scripting via 'crsearch'

Customer Reviews for WooCommerce · CVSS 6.1 · Apr 15, 2026

CVE-2026-3581mediumMissing Authorization

Basic Google Maps Placemarks <= 1.10.7 - Missing Authorization to Unauthenticated Default Map Coordinate Update

Basic Google Maps Placemarks · CVSS 5.3 · Apr 15, 2026

CVE-2026-3551mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Unpatched

Custom New User Notification <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'User Mail Subject' Setting

Custom New User Notification · CVSS 4.4 · Apr 15, 2026

CVE-2026-3773mediumImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Unpatched

Accessibility Suite by Ability, Inc <= 4.20 - Authenticated (Subscriber+) SQL Injection via 'scan_id' Parameter

Accessibility Suite by Ability, Inc · CVSS 6.5 · Apr 15, 2026

CVE-2026-3599highImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Unpatched

Riaxe Product Customizer <= 2.1.2 - Unauthenticated SQL Injection via 'options' Parameter Keys in product_data

Riaxe Product Customizer · CVSS 7.5 · Apr 15, 2026

CVE-2026-3595mediumMissing Authorization Unpatched

Riaxe Product Customizer <= 2.1.2 - Unauthenticated Arbitrary User Deletion via 'user_id' Parameter

Riaxe Product Customizer · CVSS 5.3 · Apr 15, 2026

CVE-2026-3596criticalMissing Authorization Unpatched

Riaxe Product Customizer <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Options Update to Privilege Escalation via 'install-imprint' AJAX Action

Riaxe Product Customizer · CVSS 9.8 · Apr 15, 2026

CVE-2026-3614highMissing Authorization

AcyMailing 9.11.0 - 10.8.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress · CVSS 8.8 · Apr 15, 2026

CVE-2026-5050highImproper Verification of Cryptographic Signature

Payment Gateway for Redsys & WooCommerce Lite <= 7.0.0 - Improper Verification of Cryptographic Signature to Unauthenticated Payment Status Manipulation

Payment Gateway for Redsys & WooCommerce Lite · CVSS 7.5 · Apr 15, 2026

CVE-2026-4032mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CodeColorer <= 0.10.1 - Unauthenticated Stored Cross-Site Scripting via 'class' attribute in 'cc' Comment Shortcode

CodeColorer · CVSS 6.1 · Apr 15, 2026

CVE-2026-5070mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Vantage <= 1.20.32 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Block Text Content

Vantage · CVSS 6.4 · Apr 15, 2026

CVE-2026-3878mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Docs <= 2.2.9 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'wpdocs_options[icon_size]'

WP Docs · CVSS 6.4 · Apr 15, 2026

CVE-2026-3885mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_box Shortcode

WP Shortcodes Plugin — Shortcodes Ultimate · CVSS 6.4 · Apr 15, 2026

CVE-2026-3299mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP YouTube Lyte <= 1.7.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via lyte Shortcode

WP YouTube Lyte · CVSS 6.4 · Apr 15, 2026

CVE-2026-4880criticalImproper Privilege Management

Barcode Scanner (+Mobile App) <= 1.11.0 - Unauthenticated Privilege Escalation via Insecure Token Authentication

Barcode Scanner (+Mobile App) – Inventory manager, Order fulfillment system, POS (Point of Sale) · CVSS 9.8 · Apr 15, 2026

CVE-2026-4949mediumMissing Authorization

ProfilePress <= 4.16.12 - Missing Authorization to Authenticated (Subscriber+) Inactive Membership Plan Subscription

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress · CVSS 4.3 · Apr 15, 2026

CVE-2026-1852mediumCross-Site Request Forgery (CSRF)

Product Pricing Table by WooBeWoo <= 1.1.0 - Cross-Site Request Forgery to Stored XSS and Pricing Table Deletion

WordPress · CVSS 6.1 · Apr 14, 2026

CVE-2026-1782mediumImproper Input Validation

MetForm Pro <= 3.9.7 - Unauthenticated Payment Amount Manipulation via 'mf-calculation'

WordPress · CVSS 5.3 · Apr 14, 2026

CVE-2026-3461criticalAuthentication Bypass Using an Alternate Path or Channel Unpatched

Visa Acceptance Solutions <= 2.1.0 - Unauthenticated Authentication Bypass via Billing Email

Visa Acceptance Solutions · CVSS 9.8 · Apr 14, 2026

CVE-2026-3643highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Unpatched

Accessibly <= 3.0.3 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Widget Source Injection via REST API

Accessibly – WordPress Website Accessibility · CVSS 7.2 · Apr 14, 2026

CVE-2026-4005mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Unpatched

Coachific Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'userhash' Shortcode Attribute

WordPress · CVSS 6.4 · Apr 14, 2026

CVE-2026-3659mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Unpatched

WP Circliful <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

WP Circliful · CVSS 6.4 · Apr 14, 2026

CVE-2026-3998mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Unpatched

WM JqMath <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'style' Shortcode Attribute

WM JqMath · CVSS 6.4 · Apr 14, 2026

CVE-2026-4091mediumCross-Site Request Forgery (CSRF) Unpatched

OPEN-BRAIN <= 0.5.0 - Cross-Site Request Forgery

OPEN-BRAIN · CVSS 6.1 · Apr 14, 2026

CVE-2026-4002mediumCross-Site Request Forgery (CSRF) Unpatched

Petje.af <= 2.1.8 - Cross-Site Request Forgery to Account Deletion via 'petjeaf_disconnect' AJAX Action

Petje.af · CVSS 4.3 · Apr 14, 2026

CVE-2026-3649mediumMissing Authorization Unpatched

Katalogportal-pdf-sync Widget <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via 'katalogportal_shortcodePrinter' AJAX Action

Katalogportal-pdf-sync Widget · CVSS 5.3 · Apr 14, 2026

CVE-2026-3642mediumMissing Authorization Unpatched

e-shot <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Form Settings Modification via AJAX

WordPress · CVSS 5.3 · Apr 14, 2026

CVE-2026-4011mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Unpatched

Power Charts <= 0.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

Power Charts – Responsive Beautiful Charts & Graphs · CVSS 6.4 · Apr 14, 2026

CVE-2026-5717mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Unpatched

VI: Include Post By <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute

VI: Include Post By · CVSS 6.4 · Apr 14, 2026

CVE-2026-5617highAuthorization Bypass Through User-Controlled Key Unpatched

Login as User <= 1.0.3 - Authenticated (Subscriber+) Privilege Escalation via 'oclaup_original_admin' Cookie

Login as User – Switch User & WooCommerce Login as Customer · CVSS 8.8 · Apr 14, 2026

CVE-2026-5694highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Unpatched

Quick Interest Slider <= 3.1.5 - Unauthenticated Stored Cross-Site Scripting

Quick Interest Slider · CVSS 7.2 · Apr 14, 2026

CVE-2026-6293mediumCross-Site Request Forgery (CSRF) Unpatched

Inquiry form to posts or pages <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'inq_header' Parameter

WordPress · CVSS 4.3 · Apr 14, 2026

CVE-2026-1555criticalUnrestricted Upload of File with Dangerous Type Unpatched

WebStack <= 1.2024 - Unauthenticated Arbitrary File Upload

WordPress · CVSS 9.8 · Apr 14, 2026

CVE-2026-4812mediumMissing Authorization

Advanced Custom Fields (ACF®) <= 6.7.0 - Unauthenticated Missing Authorization to Arbitrary Post/Page Disclosure via AJAX Field Query Parameters

Advanced Custom Fields (ACF®) · CVSS 5.3 · Apr 14, 2026

CVE-2026-1509mediumImproper Control of Generation of Code ('Code Injection')

Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber+) Limited Arbitrary WordPress Action Execution

WordPress · CVSS 5.4 · Apr 14, 2026

CVE-2026-1541mediumAuthorization Bypass Through User-Controlled Key

Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber+) Sensitive Information Exposure via Insecure Direct Object Reference

WordPress · CVSS 4.3 · Apr 14, 2026

CVE-2026-2834highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Age Verification & Identity Verification by Token of Trust <= 3.32.3 - Unauthenticated Stored Cross-Site Scripting via 'description' Parameter

Age Verification & Identity Verification by Token of Trust · CVSS 7.2 · Apr 14, 2026

CVE-2026-2396mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

List View Google Calendar <= 7.4.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via Event Description

List View Google Calendar · CVSS 4.4 · Apr 14, 2026

CVE-2025-15470mediumImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Eleganzo <= 1.2 - Authenticated (Subscriber+) Arbitrary Directory Deletion

WordPress · CVSS 6.5 · Apr 14, 2026

CVE-2026-1314mediumMissing Authorization

3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery <= 1.16.17 - Missing Authorization to Unauthenticated Private/Draft Flipbook Data Exposure

3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery · CVSS 5.3 · Apr 14, 2026

CVE-2025-15565mediumMissing Authorization

Nexi XPay <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification

Nexi XPay · CVSS 5.3 · Apr 14, 2026

CVE-2026-4109mediumMissing Authorization

Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) <= 4.1.8 Missing Authorization to Authenticated (Subscriber+) Order Information Exposure

Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) · CVSS 4.3 · Apr 13, 2026

CVE-2026-2582mediumImproper Control of Generation of Code ('Code Injection')

Germanized for WooCommerce <= 3.20.5 - Unauthenticated Arbitrary Shortcode Execution

Germanized for WooCommerce · CVSS 6.5 · Apr 13, 2026

CVE-2026-3017highDeserialization of Untrusted Data

Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts <= 3.0.12 - Authenticated (Administrator+) PHP Object Injection

Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts · CVSS 7.2 · Apr 13, 2026

CVE-2026-4479mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WholeSale Products Dynamic Pricing Management WooCommerce <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

WholeSale Products Dynamic Pricing Management WooCommerce · CVSS 4.4 · Apr 13, 2026

CVE-2026-4059mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ShopLentor <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute

ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin · CVSS 6.4 · Apr 13, 2026

CVE-2026-1607mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Surbma | Booking.com <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Surbma | Booking.com Shortcode · CVSS 6.4 · Apr 13, 2026

CVE-2026-6227highImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

BackWPup <= 5.6.6 - Authenticated (Administrator+) Local File Inclusion via 'block_name' Parameter

BackWPup – WordPress Backup & Restore Plugin · CVSS 7.2 · Apr 13, 2026

CVE-2026-4388highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Form Maker by 10Web <= 1.15.40 - Unauthenticated Stored Cross-Site Scripting via Matrix Field Text Box

Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder · CVSS 7.2 · Apr 13, 2026

CVE-2026-4365criticalMissing Authorization

LearnPress <= 4.3.2.8 - Missing Authorization to Unauthenticated Arbitrary Quiz Answer Deletion

LearnPress – WordPress LMS Plugin for Create and Sell Online Courses · CVSS 9.1 · Apr 13, 2026

CVE-2026-4352highImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

JetEngine <= 3.8.6.1 - Unauthenticated SQL Injection via '_cct_search' Parameter

WordPress · CVSS 7.5 · Apr 13, 2026

CVE-2026-6203mediumURL Redirection to Untrusted Site ('Open Redirect')

User Registration & Membership <= 5.1.4 - Unauthenticated Open Redirect via 'redirect_to_on_logout' Parameter

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder · CVSS 6.1 · Apr 13, 2026

CVE-2026-5809highExternal Control of File Name or Path

wpForo Forum <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Deletion via 'data[body][fileurl]' Parameter

wpForo Forum · CVSS 7.1 · Apr 10, 2026

CVE-2026-5207mediumImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

LifterLMS <= 9.2.1 - Authenticated (Custom+) SQL Injection via 'order' Parameter

LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes · CVSS 6.5 · Apr 10, 2026

CVE-2026-4979mediumServer-Side Request Forgery (SSRF)

UsersWP <= 1.2.58 - Authenticated (Subscriber+) Server-Side Request Forgery via 'uwp_crop' Parameter

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP · CVSS 5.0 · Apr 10, 2026

CVE-2026-5144highImproper Privilege Management

BuddyPress Groupblog <= 1.9.3 - Authenticated (Subscriber+) Privilege Escalation to Administrator via Group Blog IDOR

BuddyPress Groupblog · CVSS 8.8 · Apr 10, 2026

CVE-2026-3498mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

BlockArt Blocks <= 2.2.15 - Authenticated (Author+) Stored Cross-Site Scripting via 'clientId' Block Attribute

BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library · CVSS 6.4 · Apr 10, 2026

CVE-2026-3371mediumAuthorization Bypass Through User-Controlled Key

Tutor LMS <= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification

Tutor LMS – eLearning and online course solution · CVSS 4.3 · Apr 10, 2026

CVE-2026-5217highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Optimole <= 4.2.2 - Unauthenticated Stored Cross-Site Scripting via Srcset Descriptor Parameter

Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization · CVSS 7.2 · Apr 10, 2026

CVE-2026-4895mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Greenshift <= 12.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via disablelazy Attribute

Greenshift – animation and page builder blocks · CVSS 6.4 · Apr 10, 2026

CVE-2026-3358mediumMissing Authorization

Tutor LMS <= 3.9.7 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment

Tutor LMS – eLearning and online course solution · CVSS 5.4 · Apr 10, 2026

CVE-2026-5226mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Optimole <= 4.2.3 - Reflected Cross-Site Scripting via Page Profiler URL

Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization · CVSS 6.1 · Apr 10, 2026

CVE-2026-4162highMissing Authorization

Gravity SMTP <= 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Uninstall

WordPress · CVSS 7.1 · Apr 9, 2026

CVE-2026-2305mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

AddFunc Head & Footer Code <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields

AddFunc Head & Footer Code · CVSS 6.4 · Apr 9, 2026

CVE-2026-1924mediumCross-Site Request Forgery (CSRF)

Aruba HiSpeed Cache <= 3.0.4 - Cross-Site Request Forgery to Plugin Settings Reset

Aruba HiSpeed Cache · CVSS 4.3 · Apr 9, 2026

CVE-2026-4977mediumMissing Authorization

UsersWP <= 1.2.58 - Authenticated (Subscriber+) Restricted Usermeta Modification via 'htmlvar' Parameter

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP · CVSS 4.3 · Apr 9, 2026

CVE-2026-3360highMissing Authorization

Tutor LMS <= 3.9.7 - Missing Authorization to Unauthenticated Arbitrary Billing Profile Overwrite via 'order_id' Parameter

Tutor LMS – eLearning and online course solution · CVSS 7.5 · Apr 9, 2026

CVE-2026-1263mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Webling <= 3.9.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'title' Parameter

Webling · CVSS 6.4 · Apr 9, 2026

CVE-2026-4664mediumImproper Authentication

Customer Reviews for WooCommerce <= 5.103.0 - Unauthenticated Authentication Bypass to Arbitrary Review Submission via 'key' Parameter

Customer Reviews for WooCommerce · CVSS 5.3 · Apr 9, 2026

CVE-2026-4305mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Royal WordPress Backup & Restore Plugin <= 1.0.16 - Reflected Cross-Site Scripting via 'wpr_pending_template' Parameter

Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely · CVSS 6.1 · Apr 9, 2026

CVE-2026-4057mediumMissing Authorization

Download Manager <= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal

Download Manager · CVSS 4.3 · Apr 9, 2026

CVE-2026-4351highImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Perfmatters <= 2.5.9 - Authenticated (Subscriber+) Arbitrary File Overwrite via 'snippets' Parameter

WordPress · CVSS 8.1 · Apr 9, 2026

CVE-2026-2712mediumIncorrect Authorization

WP-Optimize <= 4.5.0 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update and Image Manipulation

WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance · CVSS 5.4 · Apr 9, 2026

CVE-2026-5742mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

UsersWP <= 1.2.60 - Authenticated (Subscriber+) Stored Cross-Site Scripting via User Badge Link Substitution

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP · CVSS 6.4 · Apr 8, 2026

CVE-2026-1830criticalMissing Authorization

Quick Playground <= 1.3.1 - Missing Authorization to Unauthenticated Arbitrary File Upload

Quick Playground · CVSS 9.8 · Apr 8, 2026

CVE-2026-4336mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate FAQ Accordion Plugin <= 2.4.7 - Authenticated (Author+) Stored Cross-Site Scripting via FAQ Content

Ultimate FAQ Accordion Plugin · CVSS 6.4 · Apr 8, 2026

CVE-2026-5357mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Download Manager <= 3.3.52 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Download Manager · CVSS 6.4 · Apr 8, 2026

CVE-2026-5711mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post Blocks & Tools <= 1.3.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'sliderStyle' Block Attribute

Post Blocks & Tools · CVSS 6.4 · Apr 8, 2026

CVE-2026-5436highImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

MW WP Form <= 5.1.1 - Unauthenticated Arbitrary File Move via regenerate_upload_file_keys

MW WP Form · CVSS 8.1 · Apr 8, 2026

CVE-2026-0811mediumCross-Site Request Forgery (CSRF)

Advanced CF7 DB <= 2.0.9 - Cross-Site Request Forgery to Form Entry Deletion

Advanced Contact form 7 DB · CVSS 5.4 · Apr 8, 2026

CVE-2026-0814mediumMissing Authorization

Advanced CF7 DB <= 2.0.9 - Missing Authorization to Authenticated (Subscriber+) Form Submissions Excel Export

Advanced Contact form 7 DB · CVSS 4.3 · Apr 8, 2026

CVE-2026-2942criticalUnrestricted Upload of File with Dangerous Type

ProSolution WP Client <= 1.9.9 - Unauthenticated Arbitrary File Upload via proSol_fileUploadProcess

ProSolution WP Client · CVSS 9.8 · Apr 8, 2026

CVE-2026-39587criticalImproper Privilege Management

WP BASE Booking of Appointments, Services and Events <= 5.9.0 - Unauthenticated Privilege Escalation

WP BASE Booking of Appointments, Services and Events · CVSS 9.8 · Apr 8, 2026

WF-d7261e93-2341-4e14-a9b3-8fec295f6cde-nextend-smart-slider3-procriticalEmbedded Malicious Code

Smart Slider 3 Pro 3.5.1.35 - Backdoor Embedded via Supply Chain Compromise

WordPress · CVSS 9.8 · Apr 8, 2026

CVE-2026-39583criticalIncorrect Privilege Assignment

Datalogics Ecommerce Delivery – Datalogics <= 2.6.62 - Unauthenticated Privilege Escalation

Datalogics Ecommerce Delivery – Datalogics · CVSS 9.8 · Apr 8, 2026

CVE-2026-39546highIncorrect Privilege Assignment

MultiLoca <= 4.2.15 - Authenticated (Subscriber+) Privilege Escalation

WordPress · CVSS 8.8 · Apr 8, 2026

CVE-2026-39591highUnrestricted Upload of File with Dangerous Type

WP-BusinessDirectory – Business directory plugin for WordPress <= 4.0.0 - Authenticated (Subscriber+) Arbitrary File Upload

WP-BusinessDirectory – Business directory plugin for WordPress · CVSS 8.8 · Apr 8, 2026