Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit - Broken Access Control

The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the installoractivateaddonplugins function and a weak nonce hash in all...

ListingPro < 2.6.1 - Arbitrary Plugin Installation/Activation/Deactivation

The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. This is due to a missing capability check on the lpccaddonsactions function. This makes it possible for unauthenticated attacker...

CVE-2026-5294

The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips attacker-supplied ZIP files...

CVE-2026-5294

CVE-2026-5294 : The Geeky Bot plugin for WordPress, affected in versions up to 1.2.2, suffers a Missing Authorization vulnerability via a nopriv AJAX route (geekybot_frontendajax). Attacker-controlled model/function dispatch reaches a plugin installer helper that downloads and unzips attacker-sup...

CVE-2026-5294 GeekyBot <= 1.2.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation via 'geekybot_frontendajax' AJAX Action

The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips attacker-supplied ZIP files...

CVE-2026-5464

The ExactMetrics – Google Analytics Dashboard for WordPress Website Stats Plugin plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboardingkey' transient to a...

WordPress ExactMetrics plugin <= 9.1.2 - Authenticated (Editor+) Arbitrary Plugin Installation/Activation via exactmetrics_connect_process vulnerability

Authenticated Editor+ Arbitrary Plugin Installation/Activation via exactmetricsconnectprocess vulnerability discovered by Nguyen Ngoc Duc duc193 in WordPress Plugin ExactMetrics versions = 9.1.2...

PT-2026-31563

Name of the Vulnerable Software and Affected Versions Vertex Addons for Elementor plugin for WordPress versions up to and including 1.6.4 Description The Vertex Addons for Elementor plugin for WordPress is susceptible to a missing authorization issue. This is caused by insufficient authorization...

CVE-2026-39621 WordPress SpicePress theme <= 2.3.2.5 - CSRF to Arbitrary Plugin Installation vulnerability

Cross-Site Request Forgery CSRF vulnerability in spicethemes SpicePress spicepress allows Upload a Web Shell to a Web Server.This issue affects SpicePress: from n/a through = 2.3.2.5...

CVE-2026-39617

CVE-2026-39617 is a CSRF vulnerability in the WordPress Bluestreet theme (

CVE-2026-39617 WordPress Bluestreet theme <= 1.7.3 - Cross Site Request Forgery (CSRF) to Arbitrary Plugin Installation vulnerability

Cross-Site Request Forgery CSRF vulnerability in priyanshumittal Bluestreet bluestreet allows Cross Site Request Forgery.This issue affects Bluestreet: from n/a through = 1.7.3...

CVE-2026-39617 WordPress Bluestreet theme <= 1.7.3 - Cross Site Request Forgery (CSRF) to Arbitrary Plugin Installation vulnerability

Cross-Site Request Forgery CSRF vulnerability in priyanshumittal Bluestreet bluestreet allows Cross Site Request Forgery.This issue affects Bluestreet: from n/a through = 1.7.3...

WordPress ExactMetrics plugin 8.6.0-9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation

Authenticated Custom Insecure Direct Object Reference to Arbitrary Plugin Installation vulnerability discovered by Ali Sünbül in WordPress Plugin ExactMetrics versions 8.6.0-9.0.2...

CVE-2026-1720

The WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the 'installandactiveplugin' function in all versions up to, and including, 1.4.24. This...

WordPress WowOptin: Next-Gen Popup Maker - Create Stunning Popups and Optins for Lead Generation plugin <= 1.4.24 - Missing Authorization to Authenticated (Subscriber+) Arbitrary plugin Installation vulnerability

WordPress WowOptin: Next-Gen Popup Maker - Create Stunning Popups and Optins for Lead Generation plugin = 1.4.24 - Missing Authorization to Authenticated Subscriber+ Arbitrary plugin Installation vulnerability discovered by WordFence in WordPress Plugin WowOptin versions = 1.4.24...

CVE-2026-1720

The WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the 'installandactiveplugin' function in all versions up to, and including, 1.4.24. This...

CVE-2026-1720 WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation <= 1.4.24 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

The WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the 'installandactiveplugin' function in all versions up to, and including, 1.4.24. This...

CVE-2026-1720

The WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the 'installandactiveplugin' function in all versions up to, and including, 1.4.24. This...

CVE-2025-12975 CTX Feed – WooCommerce Product Feed Manager <= 6.6.11 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Plugin Installation

The CTX Feed – WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woofeedplugininstalling function in all versions up to, and including, 6.6.11. This makes it possible for authenticated...

CVE-2025-12975

The CVE-2025-12975 entry concerns CTX Feed – WooCommerce Product Feed Manager for WordPress (