CVE-2026-12407

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screenaction function lacking a dedicated capability check and nonce verification — when invoked via the ?action=screen routing path...

EUVD-2025-210254

Unauthenticated Local File Inclusion in LuxMed | Medicine & Healthcare Doctor WordPress Theme = 1.2.2 versions...

EUVD-2025-210259

Subscriber PHP Object Injection in Entrepreneur - Booking for Small Businesses WordPress Theme = 3.1.3 versions...

EUVD-2026-37647

Unauthenticated Arbitrary File Download in WP Media folder Addon = 4.0.1 versions...

EUVD-2026-37644

Unauthenticated SQL Injection in WP eMember v10.9.4 versions...

EUVD-2026-37642

Unauthenticated PHP Object Injection in WP Activity Log = 5.6.3.1 versions...

EUVD-2026-37588

Author Broken Access Control in W3 Total Cache = 2.9.1 versions...

EUVD-2026-37661

Unauthenticated Cross Site Request Forgery CSRF in WordPress Dating Theme = 11.2.0 versions...

EUVD-2026-37660

Unauthenticated SQL Injection in WPJobster = 6.3.5 versions...

EUVD-2026-37662

Unauthenticated Broken Access Control in WordPress Dating Theme = 11.2.0 versions...

EUVD-2026-37552

The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listingloadmore AJAX handler accepts a filteredquery parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration. However,...

EUVD-2026-37586

The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the RegistryUserRole parameter. This is due to the plugin's admin menu being registered at the editposts...

EUVD-2026-37585

The Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.13 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level...

EUVD-2025-210229

Subscriber SQL Injection in Events Schedule - WordPress Events Calendar Plugin = 2.7.2 versions...

EUVD-2025-210225

Subscriber Arbitrary File Deletion in WPBot Pro Wordpress Chatbot = 13.6.5 versions...

EUVD-2025-210228

Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site = 1.0.7 versions...

EUVD-2024-55626

Cross-Site request forgery CSRF vulnerability in Extend Themes Skyline WP allows Cross Site Request Forgery. This issue affects Skyline WP: from n/a through 1.0.10...

EUVD-2025-210217

Unauthenticated Arbitrary File Download in Premium Age Verification / Restriction for WordPress = 3.0.2 versions...

WordPress E2Pdf – Export Pdf Tool for WordPress plugin <= 1.32.26 - Missing Authorization to Authenticated (Custom+) Arbitrary Option Update / Privilege Escalation vulnerability

Missing Authorization to Authenticated Custom+ Arbitrary Option Update / Privilege Escalation vulnerability discovered by endy in WordPress Plugin e2pdf versions = 1.32.26...

WordPress Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin <= 5.0.3 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Order Modification vulnerability

Insecure Direct Object Reference to Authenticated Custom+ Arbitrary Order Modification vulnerability discovered by Kirasec in WordPress Plugin Dokan versions = 5.0.3...