385 matches found
CVE-2026-7640
The WP Customer Area WordPress plugin is vulnerable to Stored Cross-Site Scripting via the type attribute of the customer-area-protected-content shortcode in all versions up to 8.3.5, due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access...
CVE-2026-12385 Smart Slider 3 <= 3.5.1.37 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via WP_Query Parameter Injection via 'keyword' Parameter
The Smart Slider 3 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.1.37 via the 'keyword' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to extract titles and full content...
CVE-2026-1359 Genolve – AI image AI video generation <= 5.0.5 - Authenticated (Contributor+) Incorrect Authorization to Privilege Escalation via theopt
The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the genolvesetOpt function in all versions up to, and including, 5.0.5. This makes it possible for authenticated attackers, with Contributor-leve...
CVE-2026-15292
The Sudoku Shortcode plugin for WordPress is affected by CVE-2026-15292: Stored Cross-Site Scripting via the background parameter in the sudoku-sc shortcode, in all versions up to and including 1.0.0. Exploitation requires authenticated access at Contributor level or higher, enabling an attacker ...
WordPress weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin <= 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by PRISM in WordPress Plugin weDocs versions = 2.3.0...
CVE-2026-13295
The CVE-2026-13295 entry concerns the Page Builder by SiteOrigin WordPress plugin. A stored XSS vulnerability affects all versions up to 2.34.3, caused by insufficient input sanitization and output escaping of the panels_data parameter. Authenticated users with Contributor-level access and above ...
CVE-2026-13335
The CodePeople Post Map for Google Maps WordPress plugin is vulnerable to Stored XSS via the 'cpm_point' Post Meta in all versions up to 1.2.6 due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary scripts t...
WordPress Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin <= 6.1.4 - Page Builder for Gutenberg Blocks & Patterns <= 6.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Page Builder for Gutenberg Blocks & Patterns plugin = 6.1.4 - Page Builder for Gutenberg Blocks & Patterns = 6.1.4 - Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Viet Anh Ngo in WordPress Plugin Essential Blocks for Gutenberg versions = 6.1.4...
PT-2026-50845
Name of the Vulnerable Software and Affected Versions The Royal Addons for Elementor – Addons and Templates Kit for Elementor versions 1.7.1058 through 1.7.1059 Description An arbitrary file read issue exists due to the wpr get csv handle helper function. When the settings.table upload csv.url...
WordPress BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot plugin <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Craniums in WordPress Plugin BetterDocs versions = 4.5.3...
CVE-2026-12111
The CVE describes a vulnerability in WordPress plugin Appointment Booking Calendar (
CVE-2026-11357
The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.5 via the editorassetsvariables. This makes it possible for authenticated attackers, with contributor-level access and abov...
WordPress Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin <= 3.7.5 - Authenticated (Contributor+) Sensitive Information Exposure vulnerability
Authenticated Contributor+ Sensitive Information Exposure vulnerability discovered by se1en in WordPress Plugin Gutenberg Blocks by Kadence Blocks versions = 3.7.5...
CVE-2026-10024
CVE-2026-10024 affects the TinyMCE shortcode Addon for WordPress (versions
PT-2026-47723
Name of the Vulnerable Software and Affected Versions Blocksy versions prior to 2.1.36 Description Insufficient input sanitization in the blocksy sanitize post meta options function allows authenticated attackers with contributor-level access or higher to store serialized PHP object strings in po...
WordPress Extra Settings for RocketChat plugin <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by MAJidox in WordPress Plugin Extra Settings for RocketChat versions = 0.1...
WordPress Plugin Name: ePaperFlip Publisher plugin <= 1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Plugin Name: ePaperFlip Publisher versions = 1...
CVE-2026-9829 Photo Gallery by 10Web <= 1.8.41 - Authenticated (Contributor+) SQL Injection via 'compact_album_order_by' Shortcode Parameter
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compactalbumorderby' Shortcode Parameter in all versions up to, and including, 1.8.41 due to insufficient escaping on the user supplied parameter and lack of sufficient...
CVE-2026-7654 Admin Columns <= 7.0.18 - Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value
The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of unserialize without an allowedclasses restriction in the IdsToCollection::getidsfromstring function, which processes...
WordPress EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more plugin <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by UKO - Korea univ. in WordPress Plugin EmbedPress versions = 4.5.3...