CVE-2026-2993

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4.17 due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query in the getListForTbl function. This makes...

CVE-2026-4119

The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers adminpost action hooks for creating tables adminpostaddtable and deleting tables adminpostdeletedbtable without implementing any capability checks via...

CVE-2026-4365

The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the deletequestionanswer function in all versions up to, and including, 4.3.2.8. The plugin exposes a wprest nonce in public frontend HTML lpData to unauthenticated visitors, and...

CVE-2026-8732

The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmptempaccessajax AJAX action being registered with wpajaxnopriv and protected only by a nonce check using the...

EUVD-2026-34888

The WP Captcha PRO the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.38. This is due to the ajaxruntool AJAX handler relying solely on a nonce check...

CVE-2026-5415

The CVE-2026-5415 issue affects the WP Captcha PRO plugin for WordPress (

CVE-2026-5415

The WP Captcha PRO the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.38. This is due to the ajaxruntool AJAX handler relying solely on a nonce check...

Drift-Protocol-Exploit-2026

Case Study: Drift Protocol $285M Logic Exploit April 2026 A...

PT-2026-47069

Name of the Vulnerable Software and Affected Versions Frontend User Notes versions prior to 2.1.2 Description The plugin is subject to Cross-Site Request Forgery CSRF, a flaw where an attacker tricks a logged-in user into executing unwanted actions. This occurs due to missing or incorrect nonce...

PT-2026-47075

Name of the Vulnerable Software and Affected Versions LatePoint – Calendar Booking Plugin for Appointments and Events versions prior to 5.6.1 Description The plugin is affected by Cross-Site Request Forgery, a flaw where an attacker tricks a victim into performing actions they did not intend to...

PT-2026-47033

Name of the Vulnerable Software and Affected Versions WP Captcha PRO versions prior to 5.39 Description An authentication bypass exists due to the ajax run tool AJAX handler relying only on a nonce check via check ajax referer without performing capability checks. This is combined with the create...

PT-2026-47064

Name of the Vulnerable Software and Affected Versions Alba Board versions prior to 2.1.4 Description The plugin fails to properly verify if a user is authorized to perform specific actions, leading to an authorization bypass. This allows authenticated attackers with subscriber-level access or...

PT-2026-47073

Name of the Vulnerable Software and Affected Versions RSS Aggregator by Feedzy versions prior to 5.1.8 Description An authorization bypass exists because the plugin fails to properly verify if a user is authorized to perform specific actions. Authenticated attackers with contributor-level access ...

CVE-2026-10737

The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the viewfile function in all versions up to, and including, 4.71. This makes it possible for unauthenticated attackers to read file metadata and obtain download links f...

EUVD-2026-34190

The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the viewfile function in all versions up to, and including, 4.71. This makes it possible for unauthenticated attackers to read file metadata and obtain download links f...

PT-2026-46111

Name of the Vulnerable Software and Affected Versions SP Project & Document Manager versions prior to 4.72 Description Unauthorized access is possible due to a missing capability check in the view file function. Unauthenticated attackers can read file metadata and obtain download links for...

CVE-2026-36609

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 uses a static authentication nonce that does not change between requests from the same source IP. Combined with the predictable XOR-based password encoding securityEncode function, this allows an attacker to reverse captured authentication...

EUVD-2026-34055

The EmergencyWP – Dead Man's switch & legacy deliverance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on the formsettingsui settings save handler, procedural include scope functio...

CVE-2026-9732

The EmergencyWP – Dead Man's switch & legacy deliverance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on the formsettingsui settings save handler, procedural include scope functio...

CVE-2026-36609

Mercusys AC12G (EU) V1 router affected. The vulnerability stems from a static authentication nonce that does not change between requests from the same source IP, compounded by a predictable XOR-based password encoding (securityEncode). This combination enables an attacker who captures authenticat...