46 matches found
CVE-2026-8892
The CM Business Directory – Optimise and showcase local business plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Business Address Meta Fields in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for...
WordPress Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin <= 11.1.4 - Missing Authorization to Authenticated (Contributor+) Arbitrary Quiz Modification and Email Reroute vulnerability
Missing Authorization to Authenticated Contributor+ Arbitrary Quiz Modification and Email Reroute vulnerability discovered by Kirasec in WordPress Plugin Quiz And Survey Master versions = 11.1.4...
CVE-2026-57765
Contributor SQL Injection in WP EasyCart = 5.9.0 versions...
WordPress Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress plugin <= 5.9.27 - Missing Authorization to Authenticated (Contributor+) Settings Modification vulnerability
Missing Authorization to Authenticated Contributor+ Settings Modification vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Email Subscribers & Newsletters versions = 5.9.27...
CVE-2026-57651
Contributor Cross Site Scripting XSS in Ghost Kit = 3.6.0 versions...
EUVD-2026-39762
Contributor Local File Inclusion in Panorama Viewer – 360 Degree Image + Video Viewer = 1.6.1 versions...
EUVD-2026-39733
Contributor Arbitrary File Deletion in H5P = 1.17.7 versions...
EUVD-2026-39728
Contributor Remote Code Execution RCE in Blocksy Companion Pro = 2.1.45 versions...
PT-2026-52812
Name of the Vulnerable Software and Affected Versions Gallery versions prior to 4.7.9 Description An issue exists that allows for SQL Injection, a technique where malicious SQL statements are inserted into entry fields for execution, specifically affecting contributors. Recommendations Update to ...
EUVD-2026-39385
Contributor Broken Access Control in Slim SEO = 4.6.2 versions...
EUVD-2026-37605
Contributor Remote Code Execution RCE in Blocksy Companion Pro = 2.1.37 versions...
CVE-2026-6962
CVE-2026-6962 affects the WordPress plugin “Cost of Goods: Product Cost & Profit Calculator for WooCommerce.” Vulnerable component: the shortcodes alg_wc_cog_product_cost and alg_wc_cog_product_profit in all versions up to 4.1.0. Root cause: insufficient input sanitization and output escaping on ...
WordPress Forms Rb plugin <= 1.1.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification vulnerability
Missing Authorization to Authenticated Contributor+ Arbitrary Modification vulnerability discovered by ? in WordPress Plugin Forms Rb versions = 1.1.9...
WordPress iVysilani Shortcode plugin <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'width' Shortcode Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'width' Shortcode Attribute vulnerability discovered by zakaria in WordPress Plugin iVysilani Shortcode versions = 3.0...
WordPress WP NG Weather plugin <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WP NG Weather versions = 1.0.9...
WordPress Gutena Forms plugin < 1.6.1 - Contributor+ Arbitrary Limited Options Update vulnerability
Contributor+ Arbitrary Limited Options Update vulnerability discovered by yiğit ibrahim sağlam in WordPress Plugin Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder versions 1.6.1...
WordPress UpMenu plugin <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'upmenu-menu' Shortcode 'lang' Attribute vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'upmenu-menu' Shortcode 'lang' Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin UpMenu versions = 3.1...
WordPress Relevanssi Premium plugin < 2.29.0 - Contributor+ SQLi vulnerability
Contributor+ SQLi vulnerability discovered by Drew Webber mcdruid in WordPress Plugin Relevanssi Premium versions 2.29.0...
Insertion of Sensitive Information Into Sent Data
Overview johnpbloch/wordpress-core is a web software you can use to create a website or blog. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data. An attacker can access sensitive information by leveraging contributor-level privileges to retrieve...
CVE-2023-23728
Auth. contributor+ Cross-Site Scripting XSS vulnerability in Winwar Media WP Flipclock plugin = 1.7.4 versions...