PT-2026-22319

The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access...

Novarain/Tassos Framework, , SQL Injection

allow SQL injection and unauthenticated file reads. Attackers can chain these issues for administrator takeover and remote code execution on unpatched systems. Affected extensions include Convert Forms, EngageBox, Google Structured Data, Advanced Custom Fields, and Smile Pack, all relying on the...

CVE-2025-14983 Advanced Custom Fields: Font Awesome <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible forauthenticated attackers, with Contributor-level access and...

CVE-2025-14983

The CVE refers to WordPress plugin Advanced Custom Fields: Font Awesome Field (

CVE-2025-12081 ACF Photo Gallery Field <= 3.0 - Missing Authorization to Authenticated (Subscriber+) Attachment Metadata Modification

The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acfphotogalleryeditsave" function in all versions up to, and including, 3.0. This makes it possible for authenticated attackers, with subscriber level acce...

WordPress Advanced Custom Fields: Font Awesome plugin <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by JongHwan Shin zzzsleep in WordPress Plugin Advanced Custom Fields: Font Awesome Field versions = 5.0.1...

WordPress plugin Advanced Custom Fields: Font Awesome Field 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

WordPress ACF Photo Gallery Field plugin <= 3.0 - Missing Authorization to Authenticated (Subscriber+) Attachment Metadata Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Attachment Metadata Modification vulnerability discovered by Rafshanzani Suhada in WordPress Plugin ACF Photo Gallery Field versions = 3.0...

CVE-2026-21626

Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure...

CVE-2026-21626

Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure...

CVE-2026-21626

Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure...

CVE-2026-21626

CVE-2026-21626 affects EasyDiscuss for Joomla (StackIdeas). The issue is that access control settings for forum post custom fields are not applied when data is output in JSON, causing an ACL bypass and potential information disclosure. Multiple sources (NVD, Red Hat, CVE list, CVE records) descri...

EUVD-2026-5682

Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure...

CVE-2026-21626 Extension - stackideas.com - Information disclosure in post custom fields in EasyDiscuss 1.0.0-5.0.15 for Joomla

Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure...

CVE-2026-21626 Extension - stackideas.com - Information disclosure in post custom fields in EasyDiscuss 1.0.0-5.0.15 for Joomla

Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure...

Advanced Custom Fields Extended < 0.9.2 - Remote Code Execution

Advanced Custom Fields: Extended WordPress plugin 0.9.0.5 through 0.9.1.1 contains a remote code execution caused by unsafe use of calluserfuncarray in prepareform function, letting unauthenticated attackers execute arbitrary code remotely. id: CVE-2025-13486 info: name: Advanced Custom Fields...

XWiki XML View - Sensitive Information Exposure

A vulnerability in XWiki's XML view functionality exposes sensitive information such as passwords and email addresses that are stored in custom fields not explicitly named as password or email. This information disclosure occurs when accessing user profiles with the xml.vm template. id:...

CVE-2026-0800

The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom fields in all versions up to, and including, 20251210 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2026-0800

The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom fields in all versions up to, and including, 20251210 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2026-0800

CVE-2026-0800 affects the WordPress plugin “User Submitted Posts – Enable Users to Submit Posts from the Front End.” The vulnerability is an unauthenticated Stored Cross-Site Scripting via custom fields, exploitable on pages that render an injected field. All versions up to and including 20251210...