CVE-2026-4006

The Simple Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayname' post meta Custom Field in all versions up to and including 2.6.2. This is due to insufficient input sanitization and output escaping on the author display name when no author URL is...

CVE-2025-11197

The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'drafts' shortcode in all versions up to, and including, 2.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-7843 Auto Save Remote Images (Drafts) <= 1.0.9 - Authenticated (Contributor+) Server-Side Request Forgery

The Auto Save Remote Images Drafts plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.9 via the fetchimages function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to...

CVE-2025-7843

CVE-2025-7843 — Auto Save Remote Images (Drafts) (WordPress) SSRF . The WordPress plugin (versions up to and including 1.0.9) is affected via fetch_images(), enabling authenticated attackers with Contributor+ privileges to make outbound requests from the web app and potentially access internal se...

WordPress Auto Save Remote Images (Drafts) plugin <= 1.0.9 - Authenticated (Contributor+) Server-Side Request Forgery vulnerability

Authenticated Contributor+ Server-Side Request Forgery vulnerability discovered by Nabil Irawan in WordPress Plugin Auto Save Remote Images Drafts versions = 1.0.9...